VYPR
Critical severityNVD Advisory· Published May 10, 2023· Updated Jan 27, 2025

Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

CVE-2023-32070

Description

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.rendering:xwiki-rendering-syntax-xhtmlMaven
< 14.6-rc-114.6-rc-1
org.xwiki.platform:xwiki-core-rendering-apiMaven
<= 3.0-milestone-2
org.xwiki.rendering:xwiki-rendering-syntax-htmlMaven
< 14.6-rc-114.6-rc-1
org.xwiki.rendering:xwiki-rendering-syntax-html5Maven
< 14.6-rc-114.6-rc-1
org.xwiki.rendering:xwiki-rendering-syntax-annotatedxhtmlMaven
< 14.6-rc-114.6-rc-1
org.xwiki.rendering:xwiki-rendering-syntax-annotatedhtml5Maven
< 14.6-rc-114.6-rc-1
org.xwiki.platform:xwiki-platform-annotation-coreMaven
< 14.6-rc-114.6-rc-1

Affected products

8

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.