Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-35157
Published: June 22, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129937
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-35157
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary script in the user's browser.
The vulnerability exists due to improper neutralization of script-related HTML tags in delattachment action when processing a forged delete attachment request with a specific attachment name. A remote privileged user can send a specially crafted request to execute arbitrary script in the user's browser.
Exploitation requires user interaction and is possible only if the attacker knows the user's CSRF token or if the user ignores the warning about the missing CSRF token.
Remediation
Install security update from vendor's website.