9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-32070

GHSA ID

GHSA-6gf5-c898-7rxp

EPSS Score

0.88252%

CWE

CWE-79

Published

5/11/2023

Updated

11/7/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-32070

CVE-2023-32070: Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

Impact

HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax.

Patches

This has been patched in XWiki 14.6 RC1.

Workarounds

There are no known workarounds apart from upgrading to a fixed version.

References

https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1
https://jira.xwiki.org/browse/XRENDERING-663

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-32070

GHSA ID

GHSA-6gf5-c898-7rxp

EPSS Score

0.88252%

CWE

CWE-79

Published

5/11/2023

Updated

11/7/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.rendering:xwiki-rendering-syntax-xhtml	maven	< 14.6-rc-1	14.6-rc-1
org.xwiki.platform:xwiki-core-rendering-api	maven	<= 3.0-milestone-2
org.xwiki.rendering:xwiki-rendering-syntax-html	maven	< 14.6-rc-1	14.6-rc-1
org.xwiki.rendering:xwiki-rendering-syntax-html5	maven	< 14.6-rc-1	14.6-rc-1
org.xwiki.rendering:xwiki-rendering-syntax-annotatedxhtml	maven	< 14.6-rc-1	14.6-rc-1
org.xwiki.rendering:xwiki-rendering-syntax-annotatedhtml5	maven	< 14.6-rc-1	14.6-rc-1
org.xwiki.platform:xwiki-platform-annotation-core	maven	< 14.6-rc-1	14.6-rc-1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing HTML attribute sanitization in XWiki's rendering components. The commit introduces HTMLElementSanitizer across multiple renderers (XHTML, HTML5, AnnotatedHTML) and modifies XHTMLWikiPrinter to validate attributes. The affected functions are the rendering entry points that process HTML elements/attributes. The patch explicitly adds sanitization to these components, indicating they were previously vulnerable. Test file changes show attributes being prefixed with 'data-xwiki-translated-attribute-' when disallowed, proving the lack of prior validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *TML r*n**rin* *i*n't ****k *or **n**rous *ttri*ut*s/*ttri*ut* v*lu*s. T*is *llow** *ross-sit* s*riptin* (XSS) *tt**ks vi* *ttri*ut*s *n* link URLs, *.*., support** in XWiki synt*x. ### P*t***s T*is **s ***n p*t**** in XWiki **.* R**. #

Reasoning

T** vuln*r**ility st*mm** *rom missin* *TML *ttri*ut* s*nitiz*tion in XWiki's r*n**rin* *ompon*nts. T** *ommit intro*u**s *TML*l*m*ntS*nitiz*r **ross multipl* r*n**r*rs (X*TML, *TML*, *nnot*t***TML) *n* mo*i*i*s X*TMLWikiPrint*r to v*li**t* *ttri*ut*

9.1

Basic Information

Concerned about an active attack path?

CVE-2023-32070: Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

Impact

Patches

Workarounds

References

For more information

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI