9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-31126

GHSA ID

GHSA-pv7v-ph6g-3gxv

EPSS Score

0.86687%

CWE

CWE-79

Published

5/9/2023

Updated

11/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-31126

CVE-2023-31126: Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml

Impact

The HTML sanitizer, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This can be exploited, e.g., via the link syntax in any content that supports XWiki syntax like comments in XWiki:

[[Link1>>https://XWiki.example.com||data-x/onmouseover="alert('XSS1')"]].

When a user moves the mouse over this link, the malicious JavaScript code is executed in the context of the user session. When this user is a privileged user who has programming rights, this allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance.

Note that this vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like / and > are removed in all attribute names.

Patches

This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters.

Workarounds

There are no known workarounds apart from upgrading to a version including the fix.

References

https://jira.xwiki.org/browse/XCOMMONS-2606
https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki
Email us at XWiki Security mailing-list

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-31126

CVE-2023-31126:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-31126

GHSA ID

GHSA-pv7v-ph6g-3gxv

EPSS Score

0.86687%

CWE

CWE-79

Published

5/9/2023

Updated

11/7/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.commons:xwiki-commons-xml	maven	>= 14.6-rc-1, < 14.10.4	14.10.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues in SecureHTMLElementSanitizer.java: 1) The original DATA_ATTR pattern (^data-[-\w.\u00B7-\uFFFF]) allowed invalid XML characters like '/' and '>' by using a broad Unicode range. 2) The .find() method was used instead of .matches(), allowing partial matches. Together, these permitted attributes like 'data-x/onmouseover' which bypassed validation. The patched commit specifically addresses both issues by tightening the regex to XML Name production rules and switching to .matches(). The isAttributeAllowed function is the direct validation gatekeeper for attributes, making it the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-31126: Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml

Impact

Patches

Workarounds

References

For more information

CVE-2023-31126:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2023-31126: Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml

Impact

Patches

Workarounds

References

For more information

9.1

9.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI