CVE-2023-26480

moderate-risk
Published 2023-03-02

XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.

Do I need to act?

~
8.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.9/10 High
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Xwiki

References (8)

Patch https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c7...
Patch https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774...
Vendor Advisory https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
Exploit https://jira.xwiki.org/browse/XWIKI-20143
Patch https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c7...
Patch https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774...
Vendor Advisory https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
Exploit https://jira.xwiki.org/browse/XWIKI-20143
47
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 10/34 · Low
Exposure 7/34 · Low