CVE-2023-32070

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1	Patch
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp	Patch Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-663	Vendor Advisory
https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1	Patch
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp	Patch Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-663	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:rendering:3.0:milestone_2::::::
	cpe:2.3:a:xwiki:xwiki::::::::

History

21 Nov 2024, 08:02

Type	Values Removed	Values Added
References	~~() https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 - Patch~~	() https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 - Patch
References	~~() https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp - Patch, Vendor Advisory~~	() https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp - Patch, Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XRENDERING-663 - Vendor Advisory~~	() https://jira.xwiki.org/browse/XRENDERING-663 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~6.1~~	v2 : unknown v3 : 9.0

17 May 2023, 20:12

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:xwiki:rendering:3.0:milestone_2:::::: cpe:2.3:a:xwiki:xwiki::::::::
CWE	~~CWE-83~~	CWE-79
First Time		Xwiki xwiki Xwiki rendering Xwiki
References	~~(MISC) https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 -~~	(MISC) https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 - Patch
References	~~(MISC) https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp -~~	(MISC) https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp - Patch, Vendor Advisory
References	~~(MISC) https://jira.xwiki.org/browse/XRENDERING-663 -~~	(MISC) https://jira.xwiki.org/browse/XRENDERING-663 - Vendor Advisory

10 May 2023, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-05-10 18:15

Updated : 2025-01-27 18:15

NVD link : CVE-2023-32070

Mitre link : CVE-2023-32070

CVE.ORG link : CVE-2023-32070

JSON object : View

Products Affected

xwiki

xwiki
rendering

CWE

CWE-83

Improper Neutralization of Script in Attributes in a Web Page

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

9.0 /10