Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
CVE-2023-32070

6.1MEDIUM

Key Information:

Vendor
xwiki
Status
xwiki-rendering
Vendor
CVE Published:
10 May 2023

Summary

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.

Affected Version(s)

xwiki-rendering < 14.6-rc-1 < 14.6-rc-1

xwiki-rendering <= 3.0-milestone-2 <= 3.0-milestone-2

References

https://github.com/xwiki/xwiki-rendering/security/advisor...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9...
x_refsource_MISC
https://jira.xwiki.org/browse/XRENDERING-663
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.