Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
CVE-2023-32070

6.1MEDIUM

Key Information:

Vendor: Xwiki
Status: Xwiki-rendering
Vendor: CVE Published:; 10 May 2023

What is CVE-2023-32070?

The XWiki Platform, a widely used generic wiki solution, contains a vulnerability in its HTML rendering mechanism prior to version 14.6-rc-1. This flaw allows attackers to inject malicious scripts into web pages through unsafe attributes and link URLs, facilitating Cross-Site Scripting (XSS) attacks. Users are encouraged to upgrade to the latest version, 14.6-rc-1 or later, to mitigate the risk. No known workarounds exist, thus immediate action is recommended to secure affected installations.

Affected Version(s)

xwiki-rendering < 14.6-rc-1 < 14.6-rc-1

xwiki-rendering <= 3.0-milestone-2 <= 3.0-milestone-2

References

https://github.com/xwiki/xwiki-rendering/security/advisor...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9...

x_refsource_MISC

https://jira.xwiki.org/browse/XRENDERING-663

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 10, 2023
Vulnerability Reserved
May 1, 2023

Xwiki

What is CVE-2023-32070?

Affected Version(s)

References

CVSS V3.1

Timeline