CVE-2023-32070
Published: 10 May 2023
Summary
CVE-2023-32070 is a critical-severity Improper Neutralization of Script in Attributes in a Web Page (CWE-83) vulnerability in Xwiki Rendering. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Platform's HTML rendering component, prior to version 14.6-rc-1, failed to validate dangerous attributes and attribute values in rendered content. This flaw permitted cross-site scripting attacks through attributes and link URLs supplied in XWiki syntax, as documented under CWE-79 and CWE-83.
An authenticated user with low privileges could supply crafted markup that executes arbitrary script in the browser context of other users who view the affected page. The CVSS 9.0 rating reflects network attack vector, low complexity, and high impact on confidentiality, integrity, and availability within the affected wiki instance.
Advisories and patches direct administrators to upgrade to XWiki 14.6-rc-1 or later; the referenced commits in the xwiki-rendering repository implement attribute filtering, and the GitHub Security Advisory states there are no workarounds short of applying the fixed release.
EPSS remains at 0.2190 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1481
Vulnerability details
XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in…
more
XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.