CVE-2023-35158
Published: 23 June 2023
Summary
CVE-2023-35158 is a critical-severity Improper Neutralization of Alternate XSS Syntax (CWE-87) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Platform, a generic wiki platform, contains a reflected cross-site scripting vulnerability in its restore template that permits arbitrary JavaScript injection via crafted URLs. The flaw has existed since version 9.4-rc-1 and allows an attacker-supplied xredirect parameter containing a javascript: URI to execute in the context of the application when the page is rendered with parameters such as xpage=restore and showBatch=true.
An unauthenticated remote attacker can exploit the issue by persuading a victim to visit a maliciously constructed link, resulting in script execution that can achieve confidentiality, integrity, and availability impacts within the wiki application. The CVSS 3.1 score of 9.6 reflects the combination of network attack vector, low complexity, no required privileges, and changed scope.
Official patches are available in XWiki 14.10.5 and 15.1-rc-1; the corresponding commits and security advisory on GitHub document the fix for the restore template handling. The associated EPSS score rose from low values after disclosure to a peak of 0.3180 on 2025-01-22 before receding, indicating a period of increased exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1847
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the…
more
restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 9.4-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.