Incomplete List of Disallowed Inputs in XWiki platform - CVE-2021-43841
Published: February 4, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130033
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-43841
CWE-ID: CWE-184
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute script in the victim's browser.
The vulnerability exists due to incomplete list of disallowed inputs in the SVG file upload handling when processing an uploaded SVG file through the download action. A remote user can upload a crafted SVG file to execute script in the victim's browser.
User interaction is required to execute the download action on the uploaded file, and the issue occurs with the default configuration.
Remediation
Install security update from vendor's website.