CVE-2023-29508
published 2023-04-16CVE-2023-29508: XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.42%
34.0th percentile
XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artifex | ghostscript | >= 0 < 9.55.0~dfsg1-0ubuntu5.12 | 9.55.0~dfsg1-0ubuntu5.12 |
| artifex | ghostscript | >= 0 < 10.02.1~dfsg1-0ubuntu7.7 | 10.02.1~dfsg1-0ubuntu7.7 |
| artifex | ghostscript | >= 0 < 9.26~dfsg+0-0ubuntu0.16.04.14+esm9 | 9.26~dfsg+0-0ubuntu0.16.04.14+esm9 |
| artifex | ghostscript | >= 0 < 9.26~dfsg+0-0ubuntu0.18.04.18+esm4 | 9.26~dfsg+0-0ubuntu0.18.04.18+esm4 |
| artifex | ghostscript | >= 0 < 9.50~dfsg-5ubuntu4.15+esm1 | 9.50~dfsg-5ubuntu4.15+esm1 |
| xwiki | xwiki | < 13.10.11 | 13.10.11 |
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 14.4.0 < 14.4.7 | 14.4.7 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ghostscript vulnerabilities
osv·2025-07-08·CVSS 4.3
CVE-2023-39327 ghostscript vulnerabilities
ghostscript vulnerabilities
It was discovered that OpenJPEG, vendored in Ghostscript did not correctly
handle large image files. If a user or system were tricked into opening a
specially crafted file, an attacker could possibly use this issue to cause
a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2023-39327) Thomas Rinsma discovered that Ghostscript did
not correctly handle printing certain variables. An attacker could possibly
use this issue to leak sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-29508) It was discovered
that Ghostscript did not correctly handle loading certain libraries. An
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 16.04 LT
GHSA
org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
ghsa·2023-04-12
CVE-2023-29508 [HIGH] CWE-79 org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
### Impact
A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.
For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.
```javascript
{{liveData id="movies" properties="title,description"}}
{
"data": {
"count": 1,
"entries": [
{
"title": "Meet John Doe",
"url": "https://www.imdb.com/title/tt0033891/",
"description": ""
}
]
},
"meta": {
"propertyDescriptors": [
{
"id": "title",
"name": "Title",
"visible": true,
"displayer": {"id": "link", "propertyHref": "url"}
},
{
"id": "description",
"name": "Description",
"visible": true,
"displayer": "html"
}
]
OSV
org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
osv·2023-04-12
CVE-2023-29508 [HIGH] org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
### Impact
A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.
For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.
```javascript
{{liveData id="movies" properties="title,description"}}
{
"data": {
"count": 1,
"entries": [
{
"title": "Meet John Doe",
"url": "https://www.imdb.com/title/tt0033891/",
"description": ""
}
]
},
"meta": {
"propertyDescriptors": [
{
"id": "title",
"name": "Title",
"visible": true,
"displayer": {"id": "link", "propertyHref": "url"}
},
{
"id": "description",
"name": "Description",
"visible": true,
"displayer": "html"
}
]
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2https://jira.xwiki.org/browse/XWIKI-20312https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2https://jira.xwiki.org/browse/XWIKI-20312https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2https://jira.xwiki.org/browse/XWIKI-20312
2023-04-16
Published