VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 23, 2023· Updated Nov 27, 2024

XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template

CVE-2023-35156

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-flamingo-skin-resourcesMaven
>= 6.0-rc-1, < 14.10.614.10.6
org.xwiki.platform:xwiki-platform-flamingo-skin-resourcesMaven
>= 15.0-rc-0, < 15.115.1

Affected products

1

Patches

3
24ec12890ac7

XWIKI-20672: Sanitize template URLs

https://github.com/xwiki/xwiki-platformSimon UrliFeb 22, 2023via ghsa
commit
1 file changed · +1 1
  • xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/delete.vm+1 1 modified
    @@ -311,7 +311,7 @@
   #else
     #set($cancelUrl = $escapetool.xml($doc.getURL()))
   #end
-  <a class="btn btn-default cancel" href="$!{escapetool.xml(${cancelUrl})}">$escapetool.xml($services.localization.render('cancel'))</a>
+  <a class="btn btn-default cancel" href="${cancelUrl}">$escapetool.xml($services.localization.render('cancel'))</a>
 #end
 #######################################################
 ##      DISPLAY DELETE COMPLETELY CONFIRM MESSAGE
13875a6437d4

XWIKI-20672: Sanitize template URLs

https://github.com/xwiki/xwiki-platformSimon UrliFeb 22, 2023via ghsa
commit
1 file changed · +2 2
  • xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/delete.vm+2 2 modified
    @@ -307,9 +307,9 @@
   </div>
   <button class="btn btn-danger confirm">$escapetool.xml($services.localization.render('delete'))</button>
   #if("$!{request.xredirect}" != '')
-    #set($cancelUrl = "$request.xredirect")
+    #getSanitizedURLAttributeValue('a','href',$request.xredirect,$doc.getURL(),$cancelUrl)
   #else
-    #set($cancelUrl = $doc.getURL())
+    #set($cancelUrl = $escapetool.xml($doc.getURL()))
   #end
   <a class="btn btn-default cancel" href="$!{escapetool.xml(${cancelUrl})}">$escapetool.xml($services.localization.render('cancel'))</a>
 #end
e80d22d193df

XWIKI-20341: Sanitize template URLs

https://github.com/xwiki/xwiki-platformSimon UrliFeb 2, 2023via ghsa
commit
1 file changed · +3 3
  • xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/delete.vm+3 3 modified
    @@ -333,11 +333,11 @@
       </div>
       <input type="submit" class="btn btn-primary" value="$services.localization.render('yes')"/>
       #if("$!{request.xredirect}" != '')
-        #set($cancelUrl = "$request.xredirect")
+        #getSanitizedURLAttributeValue('a','href',$request.xredirect,$doc.getURL(),$cancelUrl)
       #else
-        #set($cancelUrl = $doc.getURL())
+        #set($cancelUrl = $escapetool.xml($doc.getURL()))
       #end
-      <a class="btn btn-default" href="$!{escapetool.xml(${cancelUrl})}">$services.localization.render('no')</a>
+      <a class="btn btn-default" href="$cancelUrl">$services.localization.render('no')</a>
     </form>
   #xwikimessageboxend()
 #end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.