org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability
CVE-2023-37908

9.6CRITICAL

Key Information:

Vendor
xwiki
Status
xwiki-rendering
Vendor
CVE Published:
25 October 2023

Summary

A vulnerability in XWiki Rendering enables the injection of arbitrary HTML through improper cleaning of attributes during XHTML rendering. This flaw, introduced in version 14.6-rc-1, can be exploited via malicious links in XWiki-compatible content, executing arbitrary JavaScript in the context of the user's session. If the targeted user holds programming rights, this could lead to server-side code execution, compromising the confidentiality, integrity, and availability of the XWiki instance. The issue has been addressed in versions 14.10.4 and 15.0 RC1 by improving attribute validation and removal of disallowed characters. Upgrading to these versions is essential to mitigate the risk.

Affected Version(s)

xwiki-rendering >= 14.6-rc-1, < 14.10.4

References

https://github.com/xwiki/xwiki-rendering/security/advisor...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-rendering/security/advisor...
x_refsource_MISC
https://github.com/xwiki/xwiki-rendering/commit/f4d5acac4...
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.