CVE-2023-29206
org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
Severity Score
5.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
3
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-04-03 CVE Reserved
- 2023-04-15 CVE Published
- 2025-02-06 CVE Updated
- 2025-02-06 First Exploit
- 2025-04-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cmvg-w72j-7phx | 2025-02-06 | |
| https://jira.xwiki.org/browse/XWIKI-19514 | 2025-02-06 | |
| https://jira.xwiki.org/browse/XWIKI-19583 | 2025-02-06 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb | 2023-09-29 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xwiki Search vendor "Xwiki" | Xwiki Search vendor "Xwiki" for product "Xwiki" | > 3.0 <= 14.8 Search vendor "Xwiki" for product "Xwiki" and version " > 3.0 <= 14.8" | - |
Affected
| ||||||
| Xwiki Search vendor "Xwiki" | Xwiki Search vendor "Xwiki" for product "Xwiki" | 3.0 Search vendor "Xwiki" for product "Xwiki" and version "3.0" | - |
Affected
| ||||||
| Xwiki Search vendor "Xwiki" | Xwiki Search vendor "Xwiki" for product "Xwiki" | 3.0 Search vendor "Xwiki" for product "Xwiki" and version "3.0" | milestone_2 |
Affected
| ||||||
| Xwiki Search vendor "Xwiki" | Xwiki Search vendor "Xwiki" for product "Xwiki" | 3.0 Search vendor "Xwiki" for product "Xwiki" and version "3.0" | milestone3 |
Affected
| ||||||
| Xwiki Search vendor "Xwiki" | Xwiki Search vendor "Xwiki" for product "Xwiki" | 3.0 Search vendor "Xwiki" for product "Xwiki" and version "3.0" | rc1 |
Affected
| ||||||