CVE-2023-31126

CVSS V2 None CVSS V3 None

Description

`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix.

Overview

CVE ID
CVE-2023-31126

Assigner
security-advisories@github.com

Vulnerability Status
Received

Published Version
2023-05-09T13:15:18

Last Modified Date
2023-05-09T13:15:18

Weakness Enumerations

CWE	URL
CWE-86	http://cwe.mitre.org/data/definitions/86.html

References

Reference URL	Reference Tags
https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68
https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxv
https://jira.xwiki.org/browse/XCOMMONS-2606

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-31126
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31126

History

Created	Old Value	New Value	Data Type	Notes
2023-05-09 14:01:45				Added to TrackCVE
2023-05-09 14:01:49			Weakness Enumeration	new