cbcvebase.
CVE-2023-35153
published 2023-06-23

CVE-2023-35153: XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting…

PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.74%
50.2th percentile
XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a `AppWithinMinutes.FormFieldCategoryClass` class on a page and setting the payload on the page title. Then, any user visiting `/xwiki/bin/view/AppWithinMinutes/ClassEditSheet` executes the payload. The issue has been patched in XWiki 14.4.8, 14.10.4, and 15.0. As a workaround, update `AppWithinMinutes.ClassEditSheet` with a patch.

Affected

6 ranges
VendorProductVersion rangeFixed in
xwikixwiki
xwikixwiki>= 14.10 < 14.10.414.10.4
xwikixwiki>= 5.4.4 < 14.4.814.4.8
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.