org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
CVE-2023-29201

9CRITICAL

Key Information:

Vendor
xwiki
Status
xwiki-commons
Vendor
CVE Published:
15 April 2023

Summary

The restricted mode in the HTML cleaner of XWiki Commons, introduced in version 4.2-milestone-1, fails to adequately escape certain HTML attributes, allowing for malicious JavaScript code injection. This vulnerability can be exploited if a privileged user with programming rights visits a harmful comment in XWiki, resulting in the execution of the injected JavaScript within the user session. This raises significant concerns about server-side code execution and can compromise the confidentiality, integrity, and availability of the XWiki instance. The issue has been addressed in XWiki version 14.6 RC1, which implements a more robust filter to allow only specified HTML elements and attributes in restricted mode. Users are encouraged to upgrade to patched versions to mitigate the risks.

Affected Version(s)

xwiki-commons >= 4.2-milestone-1, < 14.6-rc-1

References

https://github.com/xwiki/xwiki-commons/security/advisorie...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-commons/commit/4a185e0594d...
x_refsource_MISC
https://github.com/xwiki/xwiki-commons/commit/b11eae9d82c...
x_refsource_MISC

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.