Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-36477
Published: June 30, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129941
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-36477
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary script code in users' browsers.
The vulnerability exists due to improper neutralization of script-related HTML tags in CKEditor javascript configuration pages when editing pages in the CKEditor space. A remote user can modify the javascript configuration to execute arbitrary script code in users' browsers.
User interaction is required to load the affected content.
Remediation
Install security update from vendor's website.