Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-46732

 

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-46732

Published: November 6, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129914
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-46732
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary actions in the name of the user.

The vulnerability exists due to improper neutralization of script-related html tags in the rev parameter used by the content menu when handling a crafted link parameter. A remote attacker can trick the victim into visiting a crafted link to execute arbitrary actions in the name of the user.

If the victim has programming right, exploitation can lead to remote code execution and compromise the confidentiality, integrity and availability of the whole XWiki installation.


How to mitigate CVE-2023-46732

Install security update from vendor's website.

Sources