CVE-2023-35153

Опубликовано: 23 июн. 2023

Источник: nvd

CVSS3: 9

CVSS3: 5.4

EPSS Низкий

Описание

XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a AppWithinMinutes.FormFieldCategoryClass class on a page and setting the payload on the page title. Then, any user visiting /xwiki/bin/view/AppWithinMinutes/ClassEditSheet executes the payload. The issue has been patched in XWiki 14.4.8, 14.10.4, and 15.0. As a workaround, update AppWithinMinutes.ClassEditSheet with a patch.

Ссылки

https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302
Patch
Vendor Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4wc6-hqv9-qc97
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20365
Exploit
Issue Tracking
Patch
Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302
Patch
Vendor Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4wc6-hqv9-qc97
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20365
Exploit
Issue Tracking
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 5.4.4 (включая) до 14.4.8 (исключая)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 14.10 (включая) до 14.10.4 (исключая)

cpe:2.3:a:xwiki:xwiki:15.0:rc1:*:*:*:*:*:*

EPSS

Процентиль: 84%

0.02094

Низкий

9 Critical

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-4wc6-hqv9-qc97

CVSS3: 9

github

больше 2 лет назад

XWiki Platform vulnerable to stored cross-site scripting in ClassEditSheet page via name parameters

EPSS

Процентиль: 84%

0.02094

Низкий

9 Critical

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79