Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2023-29207
Published: April 12, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129990
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29207
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary actions in the wiki.
The vulnerability exists due to improper neutralization of script-related html tags in the LiveTable Macro when rendering user-controlled column names. A remote user can inject crafted HTML or JavaScript through macro parameters to execute arbitrary actions in the wiki.
This issue is also exploitable via the Documents Macro and can be triggered in comments. User interaction is required by a user with more rights.
Remediation
Install security update from vendor's website.