CVE-2023-29508
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
16/04/2023
Last modified:
11/04/2025
Description
XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.<br />
Impact
Base Score 3.x
8.90
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | 13.10.11 (excluding) | |
| cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | 14.4.0 (including) | 14.4.7 (excluding) |
| cpe:2.3:a:xwiki:xwiki:14.10:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
- https://jira.xwiki.org/browse/XWIKI-20312
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
- https://jira.xwiki.org/browse/XWIKI-20312
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
- https://jira.xwiki.org/browse/XWIKI-20312