CVE-2023-45137

CVSS 3.1 Score 5.4 of 10 (medium)

Details

Published Oct 25, 2023
Updated: Nov 7, 2023
CWE ID 79

Summary

CVE-2023-45137 is a cross-site scripting (XSS) vulnerability affecting the XWiki Platform. Affected versions include `org.xwiki.platform:xwiki-platform-web` starting from 3.1-milestone-2 to 13.4-rc-1, and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1. This vulnerability arises when creating a document with an existing name. XWiki displays an error message containing the document reference, which is vulnerable to raw HTML injection due to missing escaping. This results in XSS, requiring the attacker to first create a non-empty document with the attack code in its name. The issue has been addressed by adding appropriate escaping in versions 13.4-rc-1 and 14.10.12 onwards. The vulnerable template file, `createinline.vm`, is part of XWiki's WAR and can be patched by manually applying the fix.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share