CVE-2023-45144

CVSS V2 None CVSS V3 None

Description

com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade.

Overview

CVE ID
CVE-2023-45144

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-10-16T20:32:50.376Z

Last Modified Date
2023-10-16T20:32:50.376Z

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html
CWE-94	http://cwe.mitre.org/data/definitions/94.html

References

Reference URL	Reference Tags
https://github.com/xwikisas/identity-oauth/security/advisories/GHSA-h2rm-29ch-wfmh	x_refsource_CONFIRM
https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6	x_refsource_MISC
https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188	x_refsource_MISC
https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58	x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-20719	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-45144
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45144

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 10:21:17				Added to TrackCVE