CVE-2023-40176

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Aug 23, 2023
Updated: Aug 29, 2023
CWE ID 79

Summary

CVE-2023-40176 is a stored XSS vulnerability affecting the XWiki Platform, a widely-used wiki platform. Malicious users can exploit this flaw by manipulating their user profile's time zone preference, which is settable despite being presented as a dropdown menu. Attackers can use various methods, such as JavaScript or URL manipulation, to set the time zone value to their payload, which is then displayed to other users, leading to potential information theft and privilege escalation. This issue has been present since version 4.1M2, and it has been corrected in versions 14.10.5 and 15.1RC1.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share