Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2023-31126 PoC — Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml

Source
https://github.com/shoucheng3/cov-int
Associated Vulnerability
Title:Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml (CVE-2023-31126)
Description:`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix.
Description
XWiki Commons CVE-2023-31126 v14.10.3 for Coverity analysis
Readme
# XWiki Commons

[XWiki Commons](http://commons.xwiki.org/xwiki/bin/view/Main/) are technical libraries common to several other top level XWiki projects. 

These libraries can be used by projects outside of the XWiki ecosystem, are generic and not related to the wiki domain.

XWiki Platform, XWiki Commons and XWiki Rendering are part of the [XWiki.org](http://www.xwiki.org/) software forge. They are released together and share the same version.

## Documentation
* [Documentation](http://commons.xwiki.org/)
* [API](http://platform.xwiki.org/xwiki/bin/view/DevGuide/API)
* [Development Zone](http://dev.xwiki.org/xwiki/bin/view/Community/)

## Download
The XWiki Commons JARs are available in the [![Maven Central Repository](https://img.shields.io/maven-central/v/org.xwiki.commons/xwiki-commons.svg?maxAge=3600)](http://search.maven.org/#search|ga|1|g%3A%22org.xwiki.commons%22).

## Release Notes
Read our [Release Notes](http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/).

## Tools
* [Continuous Integration](http://ci.xwiki.org/) setup launches a build for each commit
* [Issue Tracker](http://jira.xwiki.org/browse/XCOMMONS) if you want to report an issue
* [Development Flow](http://dev.xwiki.org/xwiki/bin/view/Community/DevelopmentPractices#HGeneralDevelopmentFlow) to see the full list of tools we use to build XWiki
* [![Revved up by Gradle Enterprise](https://img.shields.io/badge/Revved%20up%20by-Gradle%20Enterprise-06A0CE?logo=Gradle&labelColor=02303A)](https://ge.xwiki.org/scans)

## Community
We're always looking for contributors! 
You should read our [Get Involved Guide](http://dev.xwiki.org/xwiki/bin/view/Community/Contributing) or get in touch:
* [Blog](http://www.xwiki.org/xwiki/bin/view/Blog/)
* [Forum](https://dev.xwiki.org/xwiki/bin/view/Community/Discuss)
* [Chat](https://dev.xwiki.org/xwiki/bin/view/Community/Chat)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →