VYPR
Critical severityNVD Advisory· Published Jun 23, 2023· Updated Nov 29, 2024

XWiki Platform vulnerable to stored cross-site scripting in ClassEditSheet page via name parameters

CVE-2023-35153

Description

XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a AppWithinMinutes.FormFieldCategoryClass class on a page and setting the payload on the page title. Then, any user visiting /xwiki/bin/view/AppWithinMinutes/ClassEditSheet executes the payload. The issue has been patched in XWiki 14.4.8, 14.10.4, and 15.0. As a workaround, update AppWithinMinutes.ClassEditSheet with a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-appwithinminutes-uiMaven
>= 5.4.4, < 14.4.814.4.8
org.xwiki.platform:xwiki-platform-appwithinminutes-uiMaven
>= 14.5, < 14.10.414.10.4
org.xwiki.platform:xwiki-platform-appwithinminutes-uiMaven
>= 15.0-rc-1, < 15.015.0

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.