Main Vulnerability Database Vulnerabilities #VU129943

Improper Neutralization of Alternate XSS Syntax in XWiki platform - CVE-2023-35160

Published: June 22, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129943

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-35160

CWE-ID: CWE-87

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: XWiki

Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to inject arbitrary JavaScript in the page.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the resubmit template when handling the xback and xcontinue URL parameters. A remote attacker can forge a URL with a crafted payload to inject arbitrary JavaScript in the page.

User interaction is required to open the crafted URL.

How to mitigate CVE-2023-35160

Install security update from vendor's website.

Improper Neutralization of Alternate XSS Syntax in XWiki platform - CVE-2023-35160

Detailed vulnerability description

How to mitigate CVE-2023-35160

Sources

Please verify you're human