CVE-2023-29528
Published: 20 April 2023
Summary
CVE-2023-29528 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Commons. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 12.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a cross-site scripting flaw (CWE-79) in the restricted mode of the HTML cleaner within XWiki Commons, the shared technical libraries used by multiple XWiki projects. Introduced in version 4.2-milestone-1 and further modified in 14.6-rc-1, the cleaner failed to sanitize invalid HTML comments, permitting arbitrary HTML and JavaScript injection in any code that depended on restricted mode for security filtering.
An attacker can supply malicious HTML containing crafted comments that bypass the restricted-mode checks. When a privileged user possessing programming rights subsequently views the injected content, the embedded JavaScript executes in that user's session context, enabling server-side code execution with full programming rights and thereby compromising the confidentiality, integrity, and availability of the XWiki instance.
Advisories and patches state that the issue is resolved in XWiki 14.10 by removing HTML comments entirely in restricted mode and adding an explicit check preventing comments that begin with ">". No workarounds are documented other than upgrading to a fixed release. The EPSS score reached a peak of 0.0578 before receding to its current value of 0.0316, indicating limited but observable post-disclosure interest that has since declined.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1420
Vulnerability details
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and…
more
thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. There are no known workarounds apart from upgrading to a version including the fix.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.