Cyber Resilience

CVE-2023-35158

Critical

Published: 23 June 2023

Published
23 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0955 93.0th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35158 is a critical-severity Improper Neutralization of Alternate XSS Syntax (CWE-87) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

XWiki Platform, a generic wiki platform, contains a reflected cross-site scripting vulnerability in its restore template that permits arbitrary JavaScript injection via crafted URLs. The flaw has existed since version 9.4-rc-1 and allows an attacker-supplied xredirect parameter containing a javascript: URI to execute in the context of the application when the page is rendered with parameters such as xpage=restore and showBatch=true.

An unauthenticated remote attacker can exploit the issue by persuading a victim to visit a maliciously constructed link, resulting in script execution that can achieve confidentiality, integrity, and availability impacts within the wiki application. The CVSS 3.1 score of 9.6 reflects the combination of network attack vector, low complexity, no required privileges, and changed scope.

Official patches are available in XWiki 14.10.5 and 15.1-rc-1; the corresponding commits and security advisory on GitHub document the fix for the restore template handling. The associated EPSS score rose from low values after disclosure to a peak of 0.3180 on 2025-01-22 before receding, indicating a period of increased exploitation interest.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the…

more

restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 9.4-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
15.0, 9.4 · 9.4 — 14.10.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References