CVE-2023-26480

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.xwiki.platform/xwiki-platform-livedata-macro

Identifiers

GHSA-32fq-m2q5-h83g, CVE-2023-26480

Package Slug

maven/org.xwiki.platform/xwiki-platform-livedata-macro

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.

Affected Versions

All versions starting from 12.10 before 13.10.10, all versions starting from 14.0 before 14.4.7, all versions starting from 14.5 before 14.9

Solution

Upgrade to versions 13.10.10, 14.4.7, 14.9 or above.

Last Modified

2023-03-06

source