Critical severityNVD Advisory· Published Jun 23, 2023· Updated Nov 27, 2024

XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in restore template

CVE-2023-35158

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 9.4-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-flamingo-skin-resourcesMaven	>= 9.4-rc-1, < 14.10.5	14.10.5
org.xwiki.platform:xwiki-platform-flamingo-skin-resourcesMaven	>= 15.0-rc-1, < 15.1-rc-1	15.1-rc-1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 9.4-rc-1, < 14.10.5

Patches

d5472100606c

XWIKI-20352: Sanitize template URLs

https://github.com/xwiki/xwiki-platformSimon UrliFeb 2, 2023via ghsa

commit

1 file changed · +3 −3

xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/restore.vm

+3 −3 modified

@@ -178,9 +178,9 @@
   </div>
   <button class="btn btn-primary">$services.localization.render('core.restore.confirm.yes')</button>
   #if("$!{request.xredirect}" != '')
-    #set($cancelUrl = "$request.xredirect")
+    #getSanitizedURLAttributeValue('a','href',$request.xredirect,$doc.getURL(),$cancelUrl)
   #else
-    #set($cancelUrl = $doc.getURL())
+    #set($cancelUrl = $escapetool.xml($doc.getURL()))
   #end
-  <a class="btn btn-default" href="$!{escapetool.xml(${cancelUrl})}">$services.localization.render('core.restore.confirm.no')</a>
+  <a class="btn btn-default" href="$cancelUrl">$services.localization.render('core.restore.confirm.no')</a>
 #end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mwxj-g7fw-7hc8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-35158ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-mwxj-g7fw-7hc8ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20352ghsax_refsource_MISCWEB
jira.xwiki.org/browse/XWIKI-20583ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.009
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000