Vulnerability DatabaseCVE-2023-32070
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-32070
May 10, 2023
XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.
Related ResourcesĀ (9)
https://github.com/xwiki/xwiki-rendering
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp
https://nvd.nist.gov/vuln/detail/CVE-2023-37908
https://jira.xwiki.org/browse/XRENDERING-697
https://nvd.nist.gov/vuln/detail/CVE-2023-32070
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-663w-2xp3-5739
https://jira.xwiki.org/browse/XRENDERING-663
https://github.com/xwiki/xwiki-rendering/commit/f4d5acac451dccaf276e69f0b49b72221eef5d2f
https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Script in Attributes in a Web Page
CWE-83
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-86
EPSS
Base Score:
5.39