critical
9.6
CWE
79 80
Advisory Published
Advisory Published
Updated

CVE-2023-46732: Reflected Cross-site scripting through revision parameter in content menu in XWiki Platform

First published: Mon Nov 06 2023(Updated: )

### Impact XWiki is vulnerable to reflected cross-site scripting (RXSS) via the `rev` parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation. The vulnerability can be demonstrated by opening `<xwiki-host>/xwiki/bin/view/Main/?rev=xar%3Aorg.xwiki.platform%3Axwiki-platform-distribution-flavor-common%2F15.5%25%25%22%3e%3cscript%3ealert(1)%3c%2fscript%3e` where `<xwiki-host>` is the URL of your XWiki installation. If an alert is displayed, the installation is vulnerable. ### Patches This has been patched in XWiki 15.6 RC1, 15.5.1 and 14.10.14. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/04e325d57d4bcb6ab79bddcafbb19032474c2a55) can be manually applied without upgrading (or restarting) the instance. ### References * https://jira.xwiki.org/browse/XWIKI-21095 * https://github.com/xwiki/xwiki-platform/commit/04e325d57d4bcb6ab79bddcafbb19032474c2a55 ### Attribution We thank Agostino Parentela, Vulnerability Management Engineer of TicketOne S.p.A., [agostino.parentela@ticketone.it](mailto:agostino.parentela@ticketone.it) for reporting this vulnerability.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
maven/org.xwiki.platform:xwiki-platform-flamingo-skin-resources>=15.0-rc-1<15.5.1
15.5.1
maven/org.xwiki.platform:xwiki-platform-flamingo-skin-resources>=9.7-rc-1<14.10.14
14.10.14
Xwiki Xwiki>=9.7<14.10.14
Xwiki Xwiki>=15.0<15.5.1
>=9.7<14.10.14
>=15.0<15.5.1

Remedy

https://github.com/xwiki/xwiki-platform/commit/04e325d57d4bcb6ab79bddcafbb19032474c2a55

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-46732?

    CVE-2023-46732 is a vulnerability in XWiki that allows for reflected cross-site scripting (RXSS) through the 'rev' parameter in the content menu, potentially enabling an attacker to execute arbitrary actions.

  • What is the impact of CVE-2023-46732?

    The impact of CVE-2023-46732 is that an attacker can exploit the vulnerability to execute arbitrary actions in the context of the user's session.

  • How can an attacker exploit CVE-2023-46732?

    An attacker can exploit CVE-2023-46732 by convincing a user to visit a link with a crafted 'rev' parameter, triggering the execution of arbitrary actions.

  • Which versions of XWiki are affected by CVE-2023-46732?

    XWiki versions 9.7-rc-1 through 15.5.1 (excluding 15.5.1) of the 'org.xwiki.platform:xwiki-platform-flamingo-skin-resources' package are affected by CVE-2023-46732.

  • How do I fix CVE-2023-46732?

    To fix CVE-2023-46732, update to version 15.5.1 or later of the 'org.xwiki.platform:xwiki-platform-flamingo-skin-resources' package.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203