CVE-2023-34464

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-site scripting attack. The attack occurs by putting plain HTML code into that document and then tricking another user to visit that document with the `displaycontent` or `rendercontent` template and plain output syntax. If a user with programming rights is tricked into visiting such a URL, arbitrary actions be performed with this user's rights, impacting the confidentiality, integrity, and availability of the whole XWiki installation. This has been patched in XWiki 14.4.8, 14.10.5 and 15.1RC1 by setting the content type of the response to plain text when the output syntax is not an HTML syntax.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:15.0:*:*:*:*:*:*:*

History

30 Jun 2023, 13:14

Type Values Removed Values Added
First Time Xwiki
Xwiki xwiki
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:15.0:*:*:*:*:*:*:*
References (MISC) https://jira.xwiki.org/browse/XWIKI-20290 - (MISC) https://jira.xwiki.org/browse/XWIKI-20290 - Exploit, Issue Tracking, Patch, Vendor Advisory
References (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp7h-f9f5-x4q7 - (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp7h-f9f5-x4q7 - Exploit, Vendor Advisory
References (MISC) https://github.com/xwiki/xwiki-platform/commit/53e8292a31ec70fba5e1d705a4ac443658b9e6df - (MISC) https://github.com/xwiki/xwiki-platform/commit/53e8292a31ec70fba5e1d705a4ac443658b9e6df - Patch, Vendor Advisory

23 Jun 2023, 15:49

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-23 15:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-34464

Mitre link : CVE-2023-34464

CVE.ORG link : CVE-2023-34464


JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')