CVE-2023-29506
published 2023-04-16CVE-2023-29506: XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated…
PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.72%
74.6th percentile
XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 13.10.8 < 13.10.11 | 13.10.11 |
| xwiki | xwiki | >= 14.4.3 < 14.4.7 | 14.4.7 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
ghsa·2023-04-12
CVE-2023-29506 [MEDIUM] CWE-79 org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
### Impact
It was possible to inject some code using the URL of authenticate endpoints, e.g.:
```
https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword
```
This vulnerability was present in recent versions of XWiki:
- 13.10.8+
- 14.4.3+
- 14.6+
### Patches
This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
### Workarounds
There is no easy workaround except to upgrade.
### References
- https://jira.xwiki.org/browse/XWIKI-20335
- https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](https://ji
OSV
org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
osv·2023-04-12
CVE-2023-29506 [MEDIUM] org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
### Impact
It was possible to inject some code using the URL of authenticate endpoints, e.g.:
```
https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword
```
This vulnerability was present in recent versions of XWiki:
- 13.10.8+
- 14.4.3+
- 14.6+
### Patches
This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
### Workarounds
There is no easy workaround except to upgrade.
### References
- https://jira.xwiki.org/browse/XWIKI-20335
- https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](https://ji
No detection rules found.
Nuclei
XWiki >= 13.10.8 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-29506 [MEDIUM] XWiki >= 13.10.8 - Cross-Site Scripting
XWiki >= 13.10.8 - Cross-Site Scripting
Reflected XSS vulnerability in XWiki authenticate endpoints allows execution of arbitrary JavaScript.
Template:
id: CVE-2023-29506
info:
name: XWiki >= 13.10.8 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Reflected XSS vulnerability in XWiki authenticate endpoints allows execution of arbitrary JavaScript.
impact: |
Successful exploitation could allow an attacker to execute malicious scripts in the context of the victim's browser.
remediation: |
Implement proper input validation and output encoding to prevent XSS attacks in the XWiki application.
reference:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2
- https://jira.xwiki.org/browse/XWIKI-20335
- https://nvd.nist.gov/vuln/detail/C
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2https://jira.xwiki.org/browse/XWIKI-20335https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2https://jira.xwiki.org/browse/XWIKI-20335
2023-04-16
Published