CVE-2023-29508

org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Cross-site Scripting

CVSS 8.9 HIGHEPSS 0.4%CWE-79 CWE-80

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.9EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

16 Apr 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Affected products

xwiki · xwiki-platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2 https://jira.xwiki.org/browse/XWIKI-20312