CVE-2023-35155— XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email

CVSS 8.8 · High EPSS 47.03% · P98 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-35155

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email

Source: NVD (National Vulnerability Database)

Vulnerability Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser: `<xwiki-host>/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.`, where `<xwiki-host>` is the URL of your XWiki installation. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

XWiki Platform 跨站脚本漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

XWiki Platform是法国XWiki基金会的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在跨站脚本漏洞，该漏洞源于。受影响的产品和版本：XWiki Platform 2.6 RC2及之前版本，2.7 RC1及之前版本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
xwiki	xwiki-platform	>= 2.6-rc-2, < 14.4.8	-

II. Public POCs for CVE-2023-35155

#	POC Description	Source Link	Shenlong Link
1	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS).	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-35155.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-35155

请登录查看更多情报信息。

https://jira.xwiki.org/browse/XWIKI-20370x_refsource_MISC
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fwwj-wg89-7h4cx_refsource_CONFIRM
https://nvd.nist.gov/vuln/detail/CVE-2023-35155

Same Patch Batch · xwiki · 2023-06-23 · 16 CVEs total

CVE-2023-34465	10.0 CRITICAL	XWiki Platform's Mail.MailConfig can be edited by any user with edit rights
CVE-2023-35152	10.0 CRITICAL	XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTable
CVE-2023-35150	9.9 CRITICAL	XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation appl
CVE-2023-35156	9.7 CRITICAL	XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in del
CVE-2023-35158	9.7 CRITICAL	XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in res
CVE-2023-35159	9.7 CRITICAL	XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in del
CVE-2023-35160	9.7 CRITICAL	XWiki Platform vulnerable to reflected cross-site scripting via back and xcontinue paramet
CVE-2023-35161	9.7 CRITICAL	XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in Del
CVE-2023-35162	9.7 CRITICAL	XPlatform Wiki vulnerable to cross-site scripting via xcontinue parameter in preview actio
CVE-2023-34464	9.1 CRITICAL	XWiki vulnerable to stored cross-site scripting via any wiki document and the displayconte
CVE-2023-35153	9.1 CRITICAL	XWiki Platform vulnerable to stored cross-site scripting in ClassEditSheet page via name p
CVE-2023-35157	8.5 HIGH	XWiki Platform vulnerable to reflected cross-site scripting via delattachment action
CVE-2023-34467	7.5 HIGH	XWiki Platform may retrieve email addresses of all users
CVE-2023-35151	7.5 HIGH	XWiki Platform may show email addresses in clear in REST results
CVE-2023-34466	4.3 MEDIUM	XWiki Platform's tags on non-viewable pages can be revealed to users

IV. Related Vulnerabilities

Same product: xwiki-platform

Same vendor: xwiki

Same weakness: CWE-79

V. Comments for CVE-2023-35155

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-35155— XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email

I. Basic Information for CVE-2023-35155

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-35155

III. Intelligence Information for CVE-2023-35155

Same Patch Batch · xwiki · 2023-06-23 · 16 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-35155

Leave a comment