CVE-2023-29206

XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.

Published: Apr 15, 2023
Updated: May 10, 2024
CVE: CVE-2023-29206
GHSA: GHSA-cmvg-w72j-7phx
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.xwiki.platform / xwiki-platform-skin-skinx	3.0-milestone-1	14.9-rc-1
xwiki / xwiki	3.0-rc1	3.0-rc1.x
xwiki / xwiki	3.0	3.0.x
xwiki / xwiki	3.0-milestone_2	3.0-milestone_2.x
xwiki / xwiki	3.0.x	14.8.x
xwiki / xwiki	3.0-milestone3	3.0-milestone3.x

Vulnerability Database

CVE-2023-29206

Deep Security Visibility Without the Complexity