Main Vulnerability Database Vulnerabilities #VU129979

Cross-site scripting in XWiki platform - CVE-2023-29506

Published: April 12, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129979

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2023-29506

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in authenticate endpoints when handling a crafted authenticate endpoint URL. A remote attacker can send a specially crafted URL to execute arbitrary script code in the victim's browser.

User interaction is required to open the crafted URL.

Remediation

Install security update from vendor's website.

External links

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2
https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380

Cross-site scripting in XWiki platform - CVE-2023-29506

Description

Remediation

External links

Please verify you're human