Vulnerability Description
XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 12.10, < 13.10.10 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c7Patch
- https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83gVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-20143ExploitIssue TrackingVendor Advisory
- https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c7Patch
- https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83gVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-20143ExploitIssue TrackingVendor Advisory
FAQ
What is CVE-2023-26480?
CVE-2023-26480 is a vulnerability with a CVSS score of 8.9 (HIGH). XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XW...
How severe is CVE-2023-26480?
CVE-2023-26480 has been rated HIGH with a CVSS base score of 8.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-26480?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.