GoogleOSV:GHSA-32FQ-M2Q5-H83GXWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data
8.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
0.001 Low
EPSS
Percentile
32.5%
Impact
A user without script rights can introduce a stored XSS by using the Live Data macro.
For instance:
{{liveData id="movies" properties="title,description"}}
{
"data": {
"count": 1,
"entries": [
{
"title": "Meet John Doe",
"url": "https://www.imdb.com/title/tt0033891/",
"description": "<img src />"
}
]
},
"meta": {
"propertyDescriptors": [
{
"id": "title",
"name": "Title",
"visible": true,
"displayer": {"id": "link", "propertyHref": "url"}
},
{
"id": "description",
"name": "Description",
"visible": true,
"displayer": "html"
}
]
}
}
{{/liveData}}
Patches
This has been patched in XWiki 14.9, 14.4.7, and 13.10.10.
Workarounds
No known workaround.
References
https://jira.xwiki.org/browse/XWIKI-20143
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at Security ML
References
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79
github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028
github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
jira.xwiki.org/browse/XWIKI-20143
nvd.nist.gov/vuln/detail/CVE-2023-26480
Related
8.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
0.001 Low
EPSS
Percentile
32.5%