CVE-2023-35153 CRITICAL

CVE-2023-35153: XWiki Platform vulnerable to stored cross-site scripting in ClassEditSheet page via name parameters

Vendor Xwiki
Product xwiki-platform
Weakness CWE-79 · XSS
Published June 23, 2023
Last update November 29, 2024
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a `AppWithinMinutes.FormFieldCategoryClass` class on a page and setting the payload on the page title. Then, any user visiting `/xwiki/bin/view/AppWithinMinutes/ClassEditSheet` executes the payload. The issue has been patched in XWiki 14.4.8, 14.10.4, and 15.0. As a workaround, update `AppWithinMinutes.ClassEditSheet` with a patch.

Key dates

02Disclosure timeline

June 23, 2023 CVE published
November 29, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-57764 WeGIA Cross-Site Scripting (XSS) Reflected endpoint 'cargos.php' parameter 'msg_e' CVE-2023-47680 WordPress Qi Addons For Elementor Plugin <= 1.6.3 is vulnerable to Cross Site Scripting (XSS) CVE-2025-46848 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2023-7075 code-projects Point of Sales and Inventory Management System checkout.php cross site scripting CVE-2026-9714 Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute