CVE-2023-32070

Summary

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.

Affected Software

VendorProductVersion RangeStatus
xwikixwiki-rendering< 14.6-rc-1affected
xwikixwiki-rendering<= 3.0-milestone-2affected

Weaknesses

  • CWE-83: CWE-83: Improper Neutralization of Script in Attributes in a Web Page

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References