Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
CVE-2023-31126

9.6CRITICAL

Key Information:

Vendor
xwiki
Status
xwiki-commons
Vendor
CVE Published:
9 May 2023

Summary

A vulnerability exists in the xwiki-commons-xml library, which is part of the XWiki platform. The HTML sanitizer, introduced in version 14.6-rc-1, is susceptible to cross-site scripting due to the handling of invalid data attributes. Attackers can exploit this weakness by injecting arbitrary HTML code. Although restricted cleaning is effective in HTMLCleaner, allowing only permitted characters for data attributes has been implemented in versions 14.10.4 and 15.0 RC1. Users are urged to upgrade to these versions as no other workarounds are available.

Affected Version(s)

xwiki-commons >= 14.6-rc-1, < 14.10.4

References

https://github.com/xwiki/xwiki-commons/security/advisorie...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e...
x_refsource_MISC
https://jira.xwiki.org/browse/XCOMMONS-2606
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.