CVSS: 9.6EPSS: 50%CPEs: 5EXPL: 0CVE-2023-35162 – XPlatform Wiki vulnerable to cross-site scripting via xcontinue parameter in preview actions template
https://notcve.org/view.php?id=CVE-2023-35162
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as: > <hostname>/xwiki/bin/get/FlamingoThemes/Cerulean xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert(document.domain). This vulnerability exists since XWiki 6.1-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. • https://github.com/xwiki/xwiki-platform/commit/9f01166b1a8ee9639666099eb5040302df067e4d https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q9hg-9qj2-mxf9 https://jira.xwiki.org/browse/XWIKI-20342 https://jira.xwiki.org/browse/XWIKI-20583 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 51%CPEs: 3EXPL: 0CVE-2023-35161 – XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in DeleteApplication page
https://notcve.org/view.php?id=CVE-2023-35161
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.2-milestone-1. • https://github.com/xwiki/xwiki-platform/commit/8f5a889b7cd140770e54f5b4195d88058790e305 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4xm7-5q79-3fch https://jira.xwiki.org/browse/XWIKI-20583 https://jira.xwiki.org/browse/XWIKI-20614 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 9.6EPSS: 51%CPEs: 3EXPL: 0CVE-2023-35160 – XWiki Platform vulnerable to reflected cross-site scripting via back and xcontinue parameters in resubmit template
https://notcve.org/view.php?id=CVE-2023-35160
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/XWiki/Main xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain). This vulnerability exists since XWiki 2.5-milestone-2. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. • https://github.com/xwiki/xwiki-platform/commit/dbc92dcdace33823ffd1e1591617006cb5fc6a7f https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r8xc-xxh3-q5x3 https://jira.xwiki.org/browse/XWIKI-20343 https://jira.xwiki.org/browse/XWIKI-20583 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 9.6EPSS: 58%CPEs: 4EXPL: 0CVE-2023-35159 – XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in deletespace template
https://notcve.org/view.php?id=CVE-2023-35159
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 3.4-milestone-1. • https://github.com/xwiki/xwiki-platform/commit/5c20ff5e3bdea50f1053fe99a27e011b8d0e4b34 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x234-mg7q-m8g8 https://jira.xwiki.org/browse/XWIKI-20583 https://jira.xwiki.org/browse/XWIKI-20612 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 9.6EPSS: 44%CPEs: 4EXPL: 0CVE-2023-35158 – XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in restore template
https://notcve.org/view.php?id=CVE-2023-35158
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 9.4-rc-1. • https://github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mwxj-g7fw-7hc8 https://jira.xwiki.org/browse/XWIKI-20352 https://jira.xwiki.org/browse/XWIKI-20583 • CWE-87: Improper Neutralization of Alternate XSS Syntax •