Vulnerability Details : CVE-2023-35155

Potential exploit
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser: `<xwiki-host>/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.`, where `<xwiki-host>` is the URL of your XWiki installation. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8.
Published 2023-06-23 19:15:09
Updated 2023-06-30 13:09:38
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-35155

Exploit prediction scoring system (EPSS) score for CVE-2023-35155

EPSS FAQ
34.08%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-35155

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.1
 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2.8
2.7
 NIST
8.8
 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
2.8
5.3
 GitHub, Inc.

CWE ids for CVE-2023-35155

References for CVE-2023-35155

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close