Skip to main content

Xwiki CVE-2023-45134

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2023-10-25 security-advisories@github.com
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 25, 2023 - 20:15 nvd
CRITICAL 9.0

DescriptionNVD

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. org.xwiki.platform:xwiki-platform-web starting in version 3.1-milestone-1 and prior to 13.4-rc-1, org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.2 and 15.5-rc-1, and org.xwiki.platform:xwiki-web-standard starting in version 2.4-milestone-2 and prior to version 3.1-milestone-1 are vulnerable to cross-site scripting. An attacker can create a template provider on any document that is part of the wiki (could be the attacker's user profile) that contains malicious code. This code is executed when this template provider is selected during document creation which can be triggered by sending the user to a URL. For the attacker, the only requirement is to have an account as by default the own user profile is editable. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link. Depending on the rights of the user, this may allow remote code execution and full read and write access to the whole XWiki installation. This has been patched in org.xwiki.platform:xwiki-platform-web 13.4-rc-1, org.xwiki.platform:xwiki-platform-web-templates 14.10.2 and 15.5-rc-1, and org.xwiki.platform:xwiki-web-standard 3.1-milestone-1 by adding the appropriate escaping. The vulnerable template file createinline.vm is part of XWiki's WAR and can be patched by manually applying the changes from the fix.

AnalysisAI

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. org.xwiki.platform:xwiki-platform-web starting in version 3.1-milestone-1 and prior to 13.4-rc-1, org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.2 and 15.5-rc-1, and org.xwiki.platform:xwiki-web-standard starting in version 2.4-milestone-2 and prior to version 3.1-milestone-1 are vulnerable to cross-site scripting. An attacker can create a template provider on any document that is part of the wiki (could be the attacker's user profile) that contains malicious code. This code is executed when this template provider is selected during document creation which can be triggered by sending the user to a URL. For the attacker, the only requirement is to have an account as by default the own user profile is editable. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link. Depending on the rights of the user, this may allow remote code execution and full read and write access to the whole XWiki installation. This has been patched in org.xwiki.platform:xwiki-platform-web 13.4-rc-1, org.xwiki.platform:xwiki-platform-web-templates 14.10.2 and 15.5-rc-1, and org.xwiki.platform:xwiki-web-standard 3.1-milestone-1 by adding the appropriate escaping. The vulnerable template file createinline.vm is part of XWiki's WAR and can be patched by manually applying the changes from the fix. Affected products include: Xwiki. Version information: version 3.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Xwiki

View all
CVE-2025-24893 CRITICAL POC
9.8 Feb 20

XWiki Platform allows unauthenticated remote code execution through the SolrSearch endpoint, enabling guests to execute

CVE-2024-21650 CRITICAL POC
10.0 Jan 08

XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the u

CVE-2025-32969 CRITICAL POC
9.3 Apr 23

XWiki is a generic wiki platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no aut

CVE-2023-27479 CRITICAL POC
9.9 Mar 07

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2024-31996 CRITICAL POC
9.8 Apr 10

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2024-31982 CRITICAL POC
9.8 Apr 10

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2023-46731 CRITICAL POC
9.8 Nov 06

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2023-26477 CRITICAL POC
9.8 Mar 02

XWiki Platform is a generic wiki platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitabl

CVE-2025-49586 HIGH POC
8.8 Jun 13

A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available

CVE-2025-55747 CRITICAL POC
9.3 Sep 03

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

CVE-2025-46558 CRITICAL POC
9.0 Apr 30

XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown.

CVE-2023-45136 CRITICAL POC
9.6 Oct 25

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical

Share

CVE-2023-45134 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy