Critical severityNVD Advisory· Published Nov 6, 2023· Updated Sep 5, 2024

Reflected Cross-site scripting through revision parameter in content menu in XWiki Platform

CVE-2023-46732

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to reflected cross-site scripting (RXSS) via the rev parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.6 RC1, 15.5.1 and 14.10.14. The patch in commit 04e325d57 can be manually applied without upgrading (or restarting) the instance. Users are advised to upgrade or to manually apply the patch. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-flamingo-skin-resourcesMaven	>= 9.7-rc-1, < 14.10.14	14.10.14
org.xwiki.platform:xwiki-platform-flamingo-skin-resourcesMaven	>= 15.0-rc-1, < 15.5.1	15.5.1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 9.7-rc-1, < 14.10.14

Patches

04e325d57d4b

XWIKI-21095: Improve revision handling in code viewer menu item

https://github.com/xwiki/xwiki-platformMichael HamannJul 10, 2023via ghsa

commit

1 file changed · +1 −1

xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/menus_content.vm

+1 −1 modified

@@ -435,7 +435,7 @@
         ## VIEW SOURCE
         ##
         #if ("$!request.rev" != '')
-          #set ($revisionParameter = "&rev=$request.rev")
+          #set ($revisionParameter = "&rev=$escapetool.url($request.rev)")
         #end
         #submenuitem($doc.getURL('view', "viewer=code$!{revisionParameter}") $services.localization.render('core.menu.view.source') 'tmViewSource', '', 'search', $extraAttributes)
         $viewersContent

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j9rc-w3wv-fv62ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-46732ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/04e325d57d4bcb6ab79bddcafbb19032474c2a55ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-j9rc-w3wv-fv62ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-21095ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.038
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000