CVE-2023-45137
CVSS 3.1 Score 5.4 of 10 (medium)
Details
Summary
CVE-2023-45137 is a cross-site scripting (XSS) vulnerability affecting the XWiki Platform. Affected versions include `org.xwiki.platform:xwiki-platform-web` starting from 3.1-milestone-2 to 13.4-rc-1, and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1. This vulnerability arises when creating a document with an existing name. XWiki displays an error message containing the document reference, which is vulnerable to raw HTML injection due to missing escaping. This results in XSS, requiring the attacker to first create a non-empty document with the attack code in its name. The issue has been addressed by adding appropriate escaping in versions 13.4-rc-1 and 14.10.12 onwards. The vulnerable template file, `createinline.vm`, is part of XWiki's WAR and can be patched by manually applying the fix.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Xwiki
Affected Vendors
- xwiki