XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an alter on the browser: <xwiki-host>/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you., where <xwiki-host> is the URL of your XWiki installation. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-sharepage-apiMaven | >= 2.6-rc-2, < 14.4.8 | 14.4.8 |
org.xwiki.platform:xwiki-platform-sharepage-apiMaven | >= 14.5, < 14.10.4 | 14.10.4 |
Affected products
1- Range: >= 2.6-rc-2, < 14.4.8
Patches
1ca88ebdefb2cXWIKI-20370: Improved email escaping in error message
2 files changed · +30 −1
xwiki-platform-core/xwiki-platform-sharepage/xwiki-platform-sharepage-api/src/main/resources/templates/shareinline.vm+4 −1 modified@@ -84,7 +84,10 @@ #end #if ($errors.size() > 0) #foreach ($recipient in $errors.keySet()) - #error($services.localization.render('core.viewers.share.send.error', [${recipient}, ${errors.get($recipient)}])) + #set ($errorMessage = $services.localization.render('core.viewers.share.send.error', + [${recipient}, ${errors.get($recipient)}])) + #set ($errorMessage = $escapetool.xml($errorMessage)) + #error($errorMessage) #end #end <a href='$doc.getURL()' class='share-backlink'>$services.localization.render('core.viewers.share.send.back', ["<em>${doc.displayTitle}</em>"])</a>
xwiki-platform-core/xwiki-platform-sharepage/xwiki-platform-sharepage-api/src/test/java/org/xwiki/sharepage/ShareInlineTemplateTest.java+26 −0 modified@@ -19,13 +19,16 @@ */ package org.xwiki.sharepage; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; import org.junit.jupiter.api.Test; import org.xwiki.model.reference.DocumentReference; import org.xwiki.template.TemplateManager; import org.xwiki.template.script.TemplateScriptService; import org.xwiki.test.annotation.ComponentList; import org.xwiki.test.page.PageTest; +import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertTrue; /** @@ -70,4 +73,27 @@ void shareByEmailWhenNoFromAddress() throws Exception assertTrue(result.contains("<div class=\"infomessage\">core.viewers.share.send.success [john]</div>")); } + + @Test + void displayEmailErrorWithSpecialChars() throws Exception + { + // Log in (since the template checks that a user is logged in) + this.oldcore.getXWikiContext().setUserReference(new DocumentReference("xwiki", "XWiki", "SomeUser")); + + // Simulate that we're using the shareinline template to send the emails + this.request.put("send", "1"); + // Simulate an unknown target recipient to send the share page to, to produce an error message. + // The '@' is required in order to make it considered as a mail. + this.request.put("target", "<strong>hello</strong>@"); + + this.request.put("message", "Test message"); + + TemplateManager templateManager = this.oldcore.getMocker().getInstance(TemplateManager.class); + + Document document = Jsoup.parse(templateManager.render("shareinline.vm")); + + assertEquals("error: core.viewers.share.send.error " + + "[<strong>hello</strong>, core.viewers.share.error.serverError]", + document.selectFirst(".errormessage").text()); + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fwwj-wg89-7h4cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-35155ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/ca88ebdefb2c9fa41490959cce9f9e62404799e7ghsaWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-fwwj-wg89-7h4cghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20370ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.