Cyber Resilience

CVE-2023-32071

Critical

Published: 09 May 2023

Published
09 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.3378 97.1th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32071 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

XWiki Platform, a generic wiki platform, contains a cross-site scripting vulnerability that permits execution of JavaScript in the security context of any targeted user. The flaw affects all versions from 2.2-milestone-1 through 14.4.7, 14.10.3, and 15.0-milestone releases, and stems from insufficient output encoding when an attacker supplies a crafted URL that references a page containing an attachment.

An authenticated attacker who can create or modify content can craft a URL that, when visited by a victim user, causes the victim's browser to execute attacker-controlled JavaScript under that user's privileges. Successful exploitation can therefore result in full compromise of the victim's account within the wiki, including the ability to read or alter arbitrary content and perform actions on the victim's behalf.

Official patches are available in XWiki 15.0-rc-1, 14.10.4, and 14.14.8. The project advisory and associated commit describe a one-line change to templates/importinline.vm that sanitizes the relevant input; the same modification is provided as the recommended workaround for instances that cannot be upgraded immediately.

EPSS scores for this CVE reached a peak of 0.5748 before receding to the current value of 0.3378, indicating transient but notable post-disclosure interest. No confirmed in-the-wild exploitation campaigns have been reported in the referenced sources.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki…

more

targeting a page which contains an attachment. This has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. The easiest possible workaround is to edit file `<xwiki app>/templates/importinline.vm` and apply the modification described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
2.2 · 2.3 — 14.4.8 · 14.5.0 — 14.10.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79 CWE-116

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

References