Cross-site scripting in XWiki platform - CVE-2023-34464
Published: June 20, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129938
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-34464
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary actions with the victim's rights.
The vulnerability exists due to cross-site scripting in the displaycontent/rendercontent template when rendering plain HTML from an editable wiki document with plain output syntax. A remote user can place malicious HTML in a wiki document and trick the victim into visiting a crafted URL to execute arbitrary actions with the victim's rights.
User interaction is required, and exploitation depends on the victim visiting the document through the displaycontent or rendercontent template with plain output syntax.
Remediation
Install security update from vendor's website.