CVE-2023-35156
published 2023-06-23CVE-2023-35156: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing…
PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.08%
79.2th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 6.0.1 < 14.10.6 | 14.10.6 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
ghsa·2023-06-22
CVE-2023-35156 [CRITICAL] CWE-79 XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
### Impact
Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS).
It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as:
> xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain)
This vulnerability exists since XWiki 6.0-rc-1.
### Patches
The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.
### Workarounds
It's possible to workaround the vulnerability by editing the template delete.vm to perform checks on it, but note that the appropriate fix
OSV
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
osv·2023-06-22
CVE-2023-35156 [CRITICAL] XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
### Impact
Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS).
It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as:
> xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain)
This vulnerability exists since XWiki 6.0-rc-1.
### Patches
The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.
### Workarounds
It's possible to workaround the vulnerability by editing the template delete.vm to perform checks on it, but note that the appropriate fix
No detection rules found.
Nuclei
XWiki >= 6.0-rc-1 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-35156 [MEDIUM] XWiki >= 6.0-rc-1 - Cross-Site Scripting
XWiki >= 6.0-rc-1 - Cross-Site Scripting
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1.
Template:
id: CVE-2023-35156
info:
name: XWiki >= 6.0-rc-1 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Ja
https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d2dffac9ee1https://github.com/xwiki/xwiki-platform/commit/24ec12890ac7fa6daec8d0b3435cfcba11362fd5https://github.com/xwiki/xwiki-platform/commit/e80d22d193df364b07bab7925572720f91a8984ahttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-834c-x29c-f42chttps://jira.xwiki.org/browse/XWIKI-20341https://jira.xwiki.org/browse/XWIKI-20583https://jira.xwiki.org/browse/XWIKI-20672https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d2dffac9ee1https://github.com/xwiki/xwiki-platform/commit/24ec12890ac7fa6daec8d0b3435cfcba11362fd5https://github.com/xwiki/xwiki-platform/commit/e80d22d193df364b07bab7925572720f91a8984ahttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-834c-x29c-f42chttps://jira.xwiki.org/browse/XWIKI-20341https://jira.xwiki.org/browse/XWIKI-20583https://jira.xwiki.org/browse/XWIKI-20672
2023-06-23
Published