VYPR
Critical severityNVD Advisory· Published Oct 25, 2023· Updated Sep 10, 2024

XWiki Platform XSS with edit right in the create document form for existing pages

CVE-2023-45137

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. org.xwiki.platform:xwiki-platform-web starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.12 and 15.5-rc-1, are vulnerable to cross-site scripting. When trying to create a document that already exists, XWiki displays an error message in the form for creating it. Due to missing escaping, this error message is vulnerable to raw HTML injection and thus XSS. The injected code is the document reference of the existing document so this requires that the attacker first creates a non-empty document whose name contains the attack code. This has been patched in org.xwiki.platform:xwiki-platform-web version 13.4-rc-1 and org.xwiki.platform:xwiki-platform-web-templates versions 14.10.12 and 15.5-rc-1 by adding the appropriate escaping. The vulnerable template file createinline.vm is part of XWiki's WAR and can be patched by manually applying the changes from the fix.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-web-templatesMaven
< 14.10.1214.10.12
org.xwiki.platform:xwiki-platform-web-templatesMaven
>= 15.0-rc-1, < 15.5-rc-115.5-rc-1
org.xwiki.platform:xwiki-platform-webMaven
>= 3.1-milestone-2, < 13.4-rc-113.4-rc-1

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.