Critical severityNVD Advisory· Published Jun 23, 2023· Updated Nov 29, 2024
XWiki Platform vulnerable to stored cross-site scripting in ClassEditSheet page via name parameters
CVE-2023-35153
Description
XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a AppWithinMinutes.FormFieldCategoryClass class on a page and setting the payload on the page title. Then, any user visiting /xwiki/bin/view/AppWithinMinutes/ClassEditSheet executes the payload. The issue has been patched in XWiki 14.4.8, 14.10.4, and 15.0. As a workaround, update AppWithinMinutes.ClassEditSheet with a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-appwithinminutes-uiMaven | >= 5.4.4, < 14.4.8 | 14.4.8 |
org.xwiki.platform:xwiki-platform-appwithinminutes-uiMaven | >= 14.5, < 14.10.4 | 14.10.4 |
org.xwiki.platform:xwiki-platform-appwithinminutes-uiMaven | >= 15.0-rc-1, < 15.0 | 15.0 |
Affected products
2- Range: >= 5.4.4, < 14.4.8
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4wc6-hqv9-qc97ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-35153ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-4wc6-hqv9-qc97ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20365ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.