Cyber Resilience

CVE-2023-35155

HighPublic PoC

Published: 23 June 2023

Published
23 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
EPSS Score 0.4703 97.8th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35155 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform, a generic wiki platform, contains a reflected cross-site scripting vulnerability (CWE-79) that allows an attacker to inject arbitrary JavaScript by crafting a malicious URL targeting the share viewer endpoint. The flaw affects the handling of parameters such as "target" and "viewer=share" in the /xwiki/bin/view/Main/ path, enabling script execution in the context of another user's session when the link is visited.

An unauthenticated remote attacker can exploit the issue by sending a victim a specially crafted URL containing an XSS payload. Successful exploitation permits theft of session data, unauthorized actions on behalf of the victim, or other impacts consistent with the CVSS 8.8 rating that reflects network attack vector, low complexity, and changed scope.

The vulnerability is addressed in the official patches released for XWiki versions 15.0-rc-1, 14.10.4, and 14.4.8, as documented in the GitHub Security Advisory GHSA-fwwj-wg89-7h4c and the corresponding XWIKI-20370 Jira entry. Administrators should upgrade to one of these fixed releases to eliminate the injection vector. The associated EPSS score has remained stable at its peak value of 0.4703 with no material post-disclosure increase observed.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL…

more

execute an `alter` on the browser: `<xwiki-host>/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.`, where `<xwiki-host>` is the URL of your XWiki installation. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
≤ 14.4.8 · 14.10 — 14.10.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References