CVE-2023-37908

XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute...

Cross site scripting

XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute...

CVE-2023-37908

The CVE affects XWiki Rendering (xwiki-rendering) where a change to attribute cleaning during XHTML rendering introduced in version 14.6-rc-1 allowed arbitrary HTML injection via invalid attribute names. This could enable XSS (e.g., via link syntax in content like comments) and, for privileged us...

XWiki Rendering Cross-Site Scripting Vulnerability

XWiki Rendering is a general-purpose rendering system from the XWiki Foundation that converts text input from a given syntax wiki syntax, HTML, etc. to another syntax XHTML, etc.. A security vulnerability exists in XWiki Rendering, which stems from an attribute cleaning during XHTML rendering tha...

PT-2023-26177 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions 14.6-rc-1 through 14.10.3 XWiki versions prior to 15.0 RC1 Description: The issue concerns the cleaning of attributes during XHTML rendering in XWiki, which allowed the injection of arbitrary HTML code and thus cross-site...