XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in DeleteApplication page
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.2-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-appwithinminutes-uiMaven | >= 6.2-milestone-1, < 14.10.5 | 14.10.5 |
org.xwiki.platform:xwiki-platform-appwithinminutes-uiMaven | >= 15.0-rc-1, < 15.1-rc-1 | 15.1-rc-1 |
Affected products
1- Range: >= 6.2-milestone-1, < 14.10.5
Patches
18f5a889b7cd1XWIKI-20614: Sanitize template URLs
1 file changed · +3 −2
xwiki-platform-core/xwiki-platform-appwithinminutes/xwiki-platform-appwithinminutes-ui/src/main/resources/AppWithinMinutes/DeleteApplication.xml+3 −2 modified@@ -92,8 +92,9 @@ 'form_token': $services.csrf.token }) #if ("$!request.xredirect" != '') - #set ($cancelURL = $request.xredirect) - #set ($confirmParams.xredirect = $cancelURL) + #getSanitizedURLAttributeValue('a','href',$request.xredirect,$doc.getURL(),$cancelURL) + ## We don't sanitize those parameters as the sanitation will be handled server side. + #set ($confirmParams.xredirect = $request.xredirect) #end #set ($confirmURL = $doc.getURL($xcontext.action, $escapetool.url($confirmParams))) {{html}}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4xm7-5q79-3fchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-35161ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/8f5a889b7cd140770e54f5b4195d88058790e305ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-4xm7-5q79-3fchghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20583ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-20614ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.