CVE-2023-32070
published 2023-05-10CVE-2023-32070: XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed…
PriorityP425medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.65%
46.6th percentile
XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | rendering | — | — |
| xwiki | xwiki | <= 14.5 | — |
| xwiki | xwiki-rendering | < 14.6-rc-1 | 14.6-rc-1 |
| xwiki | xwiki-rendering | <= 3.0-milestone-2 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
osv·2023-05-11
CVE-2023-32070 [CRITICAL] Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
### Impact
HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax.
### Patches
This has been patched in XWiki 14.6 RC1.
### Workarounds
There are no known workarounds apart from upgrading to a fixed version.
### References
* https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1
* https://jira.xwiki.org/browse/XRENDERING-663
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])
GHSA
Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
ghsa·2023-05-11
CVE-2023-32070 [CRITICAL] CWE-79 Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
### Impact
HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax.
### Patches
This has been patched in XWiki 14.6 RC1.
### Workarounds
There are no known workarounds apart from upgrading to a fixed version.
### References
* https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1
* https://jira.xwiki.org/browse/XRENDERING-663
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxphttps://jira.xwiki.org/browse/XRENDERING-663https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxphttps://jira.xwiki.org/browse/XRENDERING-663
2023-05-10
Published