Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
CVE-2023-32070

6.1MEDIUM

Key Information:

Vendor

Xwiki
Status
Xwiki-rendering
Vendor
CVE Published:
10 May 2023

What is CVE-2023-32070?

The XWiki Platform, a widely used generic wiki solution, contains a vulnerability in its HTML rendering mechanism prior to version 14.6-rc-1. This flaw allows attackers to inject malicious scripts into web pages through unsafe attributes and link URLs, facilitating Cross-Site Scripting (XSS) attacks. Users are encouraged to upgrade to the latest version, 14.6-rc-1 or later, to mitigate the risk. No known workarounds exist, thus immediate action is recommended to secure affected installations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

xwiki-rendering < 14.6-rc-1 < 14.6-rc-1

xwiki-rendering <= 3.0-milestone-2 <= 3.0-milestone-2

References

https://github.com/xwiki/xwiki-rendering/security/advisor...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9...
x_refsource_MISC
https://jira.xwiki.org/browse/XRENDERING-663
x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.