Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-29508

XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

Published

2023-04-16T08:15:07.513

Last Modified

2025-04-11T14:50:31.367

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.9 (HIGH)

Weaknesses

Type: Secondary
CWE-79
CWE-80
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 13.10.11	Yes
Application	xwiki	xwiki	< 14.4.7	Yes
Application	xwiki	xwiki	14.10	Yes

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2 Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-20312 Issue Tracking, Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-20312 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2 Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://jira.xwiki.org/browse/XWIKI-20312 Issue Tracking, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)