1. Home
  2. Vulnerabilities
  3. CVE-2023-35158

CVE-2023-35158

CVSS v3.1 6.1 (Medium)
61% Progress
EPSS 44.71 % (97th)
44.71% Progress
Affected Products 1
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Graph Web & Social Timeline

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 9.4-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.

Weaknesses
CWE-87
Improper Neutralization of Alternate XSS Syntax
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2023-06-23 19:15:09
(15 months ago)
Updated Date
2023-06-30 13:10:25
(14 months ago)

Affected Products

Xwiki

Configuration #1

    CPE23 From Up To
  Xwiki from 9.4 version and prior 14.10.5 version cpe:2.3:a:xwiki:xwiki >= 9.4 < 14.10.5
  Xwiki 9.4 cpe:2.3:a:xwiki:xwiki:9.4:-
  Xwiki 9.4 Rc-1 cpe:2.3:a:xwiki:xwiki:9.4:rc-1
  Xwiki 15.0 cpe:2.3:a:xwiki:xwiki:15.0:-