CVE-2023-32070

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-32070
XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.

9.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 Patch
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp Patch Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-663 Vendor Advisory
https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 Patch
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp Patch Vendor Advisory
https://jira.xwiki.org/browse/XRENDERING-663 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:rendering:3.0:milestone_2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
History

21 Nov 2024, 08:02

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1 		v2 : unknown
v3 : 9.0
References () https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 - Patch () https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 - Patch
References () https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp - Patch, Vendor Advisory () https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp - Patch, Vendor Advisory
References () https://jira.xwiki.org/browse/XRENDERING-663 - Vendor Advisory () https://jira.xwiki.org/browse/XRENDERING-663 - Vendor Advisory
Information

Published : 2023-05-10 18:15

Updated : 2024-11-21 08:02

NVD link : CVE-2023-32070

Mitre link : CVE-2023-32070

CVE.ORG link : CVE-2023-32070

JSON object : View

Products Affected

xwiki

  • rendering
  • xwiki
CWE
CWE-83

Improper Neutralization of Script in Attributes in a Web Page

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024