Critical severityNVD Advisory· Published May 10, 2023· Updated Jan 27, 2025
Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
CVE-2023-32070
Description
XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.rendering:xwiki-rendering-syntax-xhtmlMaven | < 14.6-rc-1 | 14.6-rc-1 |
org.xwiki.platform:xwiki-core-rendering-apiMaven | <= 3.0-milestone-2 | — |
org.xwiki.rendering:xwiki-rendering-syntax-htmlMaven | < 14.6-rc-1 | 14.6-rc-1 |
org.xwiki.rendering:xwiki-rendering-syntax-html5Maven | < 14.6-rc-1 | 14.6-rc-1 |
org.xwiki.rendering:xwiki-rendering-syntax-annotatedxhtmlMaven | < 14.6-rc-1 | 14.6-rc-1 |
org.xwiki.rendering:xwiki-rendering-syntax-annotatedhtml5Maven | < 14.6-rc-1 | 14.6-rc-1 |
org.xwiki.platform:xwiki-platform-annotation-coreMaven | < 14.6-rc-1 | 14.6-rc-1 |
Affected products
8- ghsa-coords7 versionspkg:maven/org.xwiki.platform/xwiki-core-rendering-apipkg:maven/org.xwiki.platform/xwiki-platform-annotation-corepkg:maven/org.xwiki.rendering/xwiki-rendering-syntax-annotatedhtml5pkg:maven/org.xwiki.rendering/xwiki-rendering-syntax-annotatedxhtmlpkg:maven/org.xwiki.rendering/xwiki-rendering-syntax-htmlpkg:maven/org.xwiki.rendering/xwiki-rendering-syntax-html5pkg:maven/org.xwiki.rendering/xwiki-rendering-syntax-xhtml
<= 3.0-milestone-2+ 6 more
- (no CPE)range: <= 3.0-milestone-2
- (no CPE)range: < 14.6-rc-1
- (no CPE)range: < 14.6-rc-1
- (no CPE)range: < 14.6-rc-1
- (no CPE)range: < 14.6-rc-1
- (no CPE)range: < 14.6-rc-1
- (no CPE)range: < 14.6-rc-1
- Range: < 14.6-rc-1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6gf5-c898-7rxpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32070ghsaADVISORY
- github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxpghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XRENDERING-663ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.