Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-46732
Published: November 6, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129914
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-46732
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to execute arbitrary actions in the name of the user.
The vulnerability exists due to improper neutralization of script-related html tags in the rev parameter used by the content menu when handling a crafted link parameter. A remote attacker can trick the victim into visiting a crafted link to execute arbitrary actions in the name of the user.
If the victim has programming right, exploitation can lead to remote code execution and compromise the confidentiality, integrity and availability of the whole XWiki installation.
Remediation
Install security update from vendor's website.