CVE-2023-35159

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 3.4-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.

Published: Jun 23, 2023
Updated: May 10, 2024
CVE: CVE-2023-35159
GHSA: GHSA-x234-mg7q-m8g8
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.xwiki.platform / xwiki-platform-web-templates	3.4-milestone-1	14.10.5
org.xwiki.platform / xwiki-platform-web-templates	15.0-rc-1	15.1-rc-1
xwiki / xwiki	15.0	15.0.x
xwiki / xwiki	3.5-rc-1	3.5-rc-1.x
xwiki / xwiki	3.4-milestone-1	3.4-milestone-1.x
xwiki / xwiki	3.5	14.10.5

Vulnerability Database

CVE-2023-35159

Deep Security Visibility Without the Complexity