Main Vulnerability Database Vulnerabilities #VU129916

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-45137

Published: October 25, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129916

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-45137

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to execute arbitrary actions with the rights of the user opening a malicious link.

The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in the create document form error message in createinline.vm when handling requests for creating a document that already exists. A remote user can create a non-empty document with attack code in its name and trick the victim into opening a crafted link to execute arbitrary actions with the rights of the user opening a malicious link.

User interaction is required to open the malicious link, and the injected code is taken from the document reference of an existing document.

Remediation

Install security update from vendor's website.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-45137

Description

Remediation

External links

Please verify you're human