CVE-2023-29508

XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

Published: Apr 16, 2023
Updated: May 10, 2024
CVE: CVE-2023-29508
GHSA: GHSA-hmm7-6ph9-8jf2
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79
CWE-80

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.xwiki.platform / xwiki-platform-livedata-macro	13.10.10	13.10.11
org.xwiki.platform / xwiki-platform-livedata-macro	14.4	14.4.7
org.xwiki.platform / xwiki-platform-livedata-macro	14.9	14.10
xwiki / xwiki	14.4.0	14.4.7
xwiki / xwiki	-	13.10.11
xwiki / xwiki	14.10-rc1	14.10-rc1.x

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
https://jira.xwiki.org/browse/XWIKI-20312

Vulnerability Database

CVE-2023-29508

Deep Security Visibility Without the Complexity