Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-29207

 

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-29207

Published: April 12, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129990
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29207
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary actions in the wiki.

The vulnerability exists due to improper neutralization of script-related html tags in the LiveTable Macro when rendering user-controlled column names. A remote user can inject crafted HTML or JavaScript through macro parameters to execute arbitrary actions in the wiki.

This issue is also exploitable via the Documents Macro and can be triggered in comments. User interaction is required by a user with more rights.


How to mitigate CVE-2023-29207

Install security update from vendor's website.

Sources