Lucene search

[email protected]NVD:CVE-2023-35160

HistoryJun 23, 2023 - 7:15 p.m.

CVE-2023-35160

2023-06-2319:15:09

CWE-79

CWE-87

[email protected]

web.nvd.nist.gov

xwiki

xss

resubmit

url

vulnerability

patch

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

9.3 High

AI Score

Confidence

High

0.462 Medium

EPSS

Percentile

97.4%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It’s possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/XWiki/Main xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain). This vulnerability exists since XWiki 2.5-milestone-2. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.

Affected configurations

NVD

Node

xwikixwikiRange3.0–14.10.5

xwikixwikiMatch2.5milestone2

xwikixwikiMatch15.0

References

github.com/xwiki/xwiki-platform/commit/dbc92dcdace33823ffd1e1591617006cb5fc6a7f

github.com/xwiki/xwiki-platform/security/advisories/GHSA-r8xc-xxh3-q5x3

jira.xwiki.org/browse/XWIKI-20343

jira.xwiki.org/browse/XWIKI-20583

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

9.3 High

AI Score

Confidence

High

0.462 Medium

EPSS

Percentile

97.4%

JSON

Related for NVD:CVE-2023-35160

cve1 osv2 github1 prion1 cvelist1 nuclei1