Cyber Resilience

CVE-2023-29207

HighPublic PoC

Published: 15 April 2023

Published
15 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
EPSS Score 0.1765 95.3th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29207 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.9 (High).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Commons contains an unsanitized column-name handling flaw in the Livetable Macro that permits insertion of arbitrary HTML and JavaScript. The same vector is reachable through the Documents Macro (present since XWiki 3.5M1) without requiring script rights, as demonstrated by the syntax {{documents id="example" count="5" actions="false" columns="doc.title, before<script>alert(1)</script>after"/}}. The issue therefore affects any XWiki instance exposing these macros to authenticated or comment-posting users.

An attacker needs only low-privileged access to inject the payload; when a higher-privileged user later views the affected page or comment, the script executes in that user's context. Successful exploitation can yield privilege escalation, remote code execution, content tampering, or information disclosure inside the wiki.

The vulnerability is fixed in XWiki 14.9, 14.4.6, and 13.10.10; the corresponding commits and GitHub Security Advisory GHSA-6vgh-9r3c-2cxp document the sanitization changes applied to column handling. The EPSS score has remained flat at 0.1765 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

XWiki Commons are technical libraries common to several other top level XWiki projects. The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents Macro…

more

that is included since XWiki 3.5M1 and doesn't require script rights, this can be demonstrated with the syntax `{{documents id="example" count="5" actions="false" columns="doc.title, before<script>alert(1)</script>after"/}}`. Therefore, this can also be exploited by users without script right and in comments. With the interaction of a user with more rights, this could be used to execute arbitrary actions in the wiki, including privilege escalation, remote code execution, information disclosure, modifying or deleting content. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
1.9 · 1.9 — 13.10.10 · 14.0 — 14.4.6 · 14.5 — 14.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References