CVE-2023-29206 CRITICAL

CVE-2023-29206: org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins

Vendor Xwiki
Product xwiki-platform
Weakness CWE-79 · XSS
Published April 15, 2023
Last update February 6, 2025
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.

Key dates

02Disclosure timeline

April 15, 2023 CVE published
February 6, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-8027 Stored Cross-Site Scripting (XSS) in netease-youdao/QAnything CVE-2025-32640 WordPress One Click Accessibility plugin <= 3.1.0 - Cross-Site Scripting (XSS) vulnerability CVE-2024-29774 WordPress WP Directory Kit plugin <= 1.2.9 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-13403 WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter CVE-2023-47768 WordPress Footer Putter Plugin <= 1.17 is vulnerable to Cross Site Scripting (XSS)