Improper Encoding or Escaping of Output in XWiki platform - CVE-2023-32071
Published: May 9, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129949
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-32071
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary JavaScript in the context of another user's session.
The vulnerability exists due to improper encoding or escaping of output in the importinline template when handling the editor parameter in a crafted URL targeting a page that contains an attachment. A remote user can send a specially crafted URL to execute arbitrary JavaScript in the context of another user's session.
User interaction is required to visit the crafted URL, and the target page must contain an attachment.
Remediation
Install security update from vendor's website.