What is CVE-2023-35158?

CVE-2023-35158 is a vulnerability in XWiki Platform that allows users to inject malicious JavaScript code through a specially crafted URL, resulting in a cross-site scripting (XSS) attack.

How severe is CVE-2023-35158?

CVE-2023-35158 has a severity rating of 6.1 (critical).

What software versions are affected by CVE-2023-35158?

CVE-2023-35158 affects XWiki Platform versions 9.4, 9.4-rc-1, and 15.0 up to and including version 14.10.5.

How can I exploit CVE-2023-35158?

To exploit CVE-2023-35158, you can craft a URL with a payload to inject JavaScript code into the page.

Is there a fix for CVE-2023-35158?

Yes, the vulnerability has been fixed in the XWiki Platform with the following commit: d5472100606c8355ed44ada273e91df91f682738.

Vulnerability/
CVE-2023-35158

critical

9.7

CWE

87 79

23/6/2023

2/8/2024

CVE-2023-35158: XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in restore template

First published: Fri Jun 23 2023(Updated: )

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 9.4-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Xwiki Xwiki	>=9.4<14.10.5
Xwiki Xwiki	=9.4
Xwiki Xwiki	=9.4-rc-1
Xwiki Xwiki	=15.0

Remedy

https://github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738

Remedy

https://jira.xwiki.org/browse/XWIKI-20583

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-35158?
CVE-2023-35158 is a vulnerability in XWiki Platform that allows users to inject malicious JavaScript code through a specially crafted URL, resulting in a cross-site scripting (XSS) attack.
How severe is CVE-2023-35158?
CVE-2023-35158 has a severity rating of 6.1 (critical).
What software versions are affected by CVE-2023-35158?
CVE-2023-35158 affects XWiki Platform versions 9.4, 9.4-rc-1, and 15.0 up to and including version 14.10.5.
How can I exploit CVE-2023-35158?
To exploit CVE-2023-35158, you can craft a URL with a payload to inject JavaScript code into the page.
Is there a fix for CVE-2023-35158?
Yes, the vulnerability has been fixed in the XWiki Platform with the following commit: d5472100606c8355ed44ada273e91df91f682738.

collector/nvd-index
agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/severity
agent/remedy
agent/author
agent/last-modified-date
agent/weakness
agent/title
agent/softwarecombine
agent/tags
agent/event
agent/description
agent/first-publish-date
vendor/xwiki
canonical/xwiki xwiki
version/xwiki xwiki/9.4
version/xwiki xwiki/9.4-rc-1
version/xwiki xwiki/15.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.