CVE-2023-34464

Summary

CVE-2023-34464 is a vulnerability affecting XWiki Platform versions 2.2.1 to 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates. The vulnerability allows any user with document editing rights in a wiki, such as the user profile, to create a stored cross-site scripting attack by inserting HTML code into a document and tricking another user into visiting that document with the 'displaycontent' or 'rendercontent' template and plain output syntax. If a user with programming rights falls for this trick and visits the URL, the attacker can perform arbitrary actions using that user's privileges, potentially compromising the confidentiality, integrity, and availability of the entire XWiki installation. The issue has been resolved in XWiki versions 14.4.8, 14.10.5, and 15.1RC1 by setting the content type of the response to plain text when the output syntax is not valid HTML to prevent exploitation. Note: The information provided above is based on the given text description and may not represent the complete details or latest updates about the vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.