Lucene search

K
nvd[email protected]NVD:CVE-2023-35156
HistoryJun 23, 2023 - 7:15 p.m.

CVE-2023-35156

2023-06-2319:15:09
CWE-87
CWE-79
web.nvd.nist.gov
3
xwiki platform
xss vulnerability
javascript injection
forged urls
security patch

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

9.2

Confidence

High

EPSS

0.1

Percentile

95.0%

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It’s possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn’t enough to entirely fix the vulnerability.

Affected configurations

Nvd
Node
xwikixwikiRange6.0.114.10.6
OR
xwikixwikiMatch6.0milestone1
OR
xwikixwikiMatch6.0milestone2
OR
xwikixwikiMatch15.0
VendorProductVersionCPE
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
xwikixwiki6.0cpe:2.3:a:xwiki:xwiki:6.0:milestone1:*:*:*:*:*:*
xwikixwiki6.0cpe:2.3:a:xwiki:xwiki:6.0:milestone2:*:*:*:*:*:*
xwikixwiki15.0cpe:2.3:a:xwiki:xwiki:15.0:*:*:*:*:*:*:*

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

9.2

Confidence

High

EPSS

0.1

Percentile

95.0%

Related for NVD:CVE-2023-35156