QwikSec

Security Database

CVE

CWE

Training

CVE-2023-26480

Published: Mar 2, 2023

Modified: Mar 5, 2025

PUBLISHED

CVSS v3.1

8.9

HIGH

Description

XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.

Vendor	Product	Versions
xwiki	xwiki-platform	affected `>= 12.10, < 13.10.10` affected `>= 14.0, < 14.4.7` affected `>= 14.5, < 14.9`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79

x_refsource_MISC

https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-20143

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.