Vulnerability Description
`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 14.6, < 14.10.4 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adPatch
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxvVendor Advisory
- https://jira.xwiki.org/browse/XCOMMONS-2606Vendor Advisory
- https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adPatch
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxvVendor Advisory
- https://jira.xwiki.org/browse/XCOMMONS-2606Vendor Advisory
- https://jira.xwiki.org/browse/XCOMMONS-2606Vendor Advisory
FAQ
What is CVE-2023-31126?
CVE-2023-31126 is a vulnerability with a CVSS score of 9.0 (CRITICAL). `org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code an...
How severe is CVE-2023-31126?
CVE-2023-31126 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-31126?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.