XWiki XSS via HTML cleaner restricted mode before 14.10
CVE-2023-29528 Published on April 20, 2023

Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. There are no known workarounds apart from upgrading to a version including the fix.

Github Repository NVD

Vulnerability Analysis

CVE-2023-29528 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2023-29528 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2023-29528

stack.watch emails you whenever new vulnerabilities are published in Xwiki Commons or Xwiki. Just hit a watch button to start following.

Xwiki Commons
 
Xwiki
 

Affected Versions

xwiki-commons Version >= 4.2-milestone-1, < 14.10 is affected by CVE-2023-29528

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-29528

Package Manager Vulnerable Package Versions Fixed In
maven org.xwiki.commons:xwiki-commons-xml >= 4.2-milestone-1, < 14.10 14.10

Exploit Probability

EPSS
3.16%
Percentile
87.17%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.