CVE-2023-32070 CRITICAL

CVE-2023-32070: Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

Vendor Xwiki
Product xwiki-rendering
Weakness CWE-83
Published May 10, 2023
Last update January 27, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.

Key dates

02Disclosure timeline

May 10, 2023 CVE published
January 27, 2025 Record updated