CVE-2023-45144— Remote code execution from login screen through unescaped URL parameter in OAuth Identity XWiki App
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-45144
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote code execution from login screen through unescaped URL parameter in OAuth Identity XWiki App
Source: NVD (National Vulnerability Database)
Vulnerability Description
com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
OAuth Identity XWiki App 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OAuth Identity XWiki App是XWiki SAS开源的一个基于 OAuth 授权构建身份和服务提供商的基本要素库。 OAuth Identity XWiki App存在跨站脚本漏洞,该漏洞源于GET请求中发送的identityOAuth参数容易受到跨站脚本(XSS)和XWiki语法注入的攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| xwikisas | identity-oauth | >= 1.0, < 1.6 | - |
II. Public POCs for CVE-2023-45144
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-45144
请登录查看更多情报信息。
- https://jira.xwiki.org/browse/XWIKI-20719x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2023-45144
IV. Related Vulnerabilities
Same vendor: xwikisas
- CVE-2025-65036
XWiki Remote Macros vulnerable to remote code execution usin - CVE-2025-65089
XWiki view file macro: User can view content of office file - CVE-2025-54990
XWiki AdminTools application doesn't set permissions on the - CVE-2025-55730
XWiki Remote Macros vulnerable to remote code execution usin - CVE-2025-55729
XWiki Remote Macros vulnerable to remote code execution usin
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2023-45144
No comments yet