Improper Encoding or Escaping of Output Affecting org.xwiki.platform:xwiki-platform-web-templates package, versions [,14.10.12)[15.0-rc-1,15.5-rc-1)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.33% (71st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGXWIKIPLATFORM-6036195
  • published26 Oct 2023
  • disclosed25 Oct 2023
  • creditUnknown

Introduced: 25 Oct 2023

CVE-2023-45135  (opens in a new tab)
CWE-116  (opens in a new tab)

How to fix?

Upgrade org.xwiki.platform:xwiki-platform-web-templates to version 14.10.12, 15.5-rc-1 or higher.

Overview

org.xwiki.platform:xwiki-platform-web-templates is a Web Resources for the XWiki platform.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output that allows an attacker to trick a victim into executing code when clicking the "Create" button on a malicious page, by passing a title to the page creation action that isn't initially displayed but has its contents executed.

PoC

<xwiki-host>/xwiki/bin/create/NonExistingSpace/WebHome?title=$services.logging.getLogger(%22foo%22).error(%22Script%20executed!%22)

CVSS Scores

version 3.1