PT-2023-22290 · Xwiki · Xwiki

Ilie Andriuta

Publicado

2023-04-12

Atualizado

2023-04-26

CVE-2023-29508

CVSS v3.1

8.9

Alta

Vetor

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 13.10.11 XWiki versions prior to 14.4.7 XWiki versions prior to 14.10

Description A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This can be achieved by adding malicious data to the description field, which is displayed as HTML. For instance, an attacker could add an image with an onerror attribute set to execute JavaScript code, such as <img onerror='alert(1)' src='foo' />.

Recommendations For versions prior to 13.10.11, update to version 13.10.11 or later. For versions prior to 14.4.7, update to version 14.4.7 or later. For versions prior to 14.10, update to version 14.10 or later.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79CWE-80

Identificadores relacionados

CVE-2023-29508

GHSA-HMM7-6PH9-8JF2

Produtos afetados

Xwiki

PT-2023-22290 · Xwiki · Xwiki

CVE-2023-29508

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7