8.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-35157

CVE-2023-35157: XWiki Platform vulnerable to reflected cross-site scripting via delattachment action

Impact

It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token.

Patches

The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6.

Workarounds

There's no workaround for this other than upgrading XWiki.

References

Jira ticket: https://jira.xwiki.org/browse/XWIKI-20339
Commit containing the fix: https://github.com/xwiki/xwiki-platform/commit/35e9073ffec567861e0abeea072bd97921a3decf

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-35157

CVE-2023-35157:

8.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 3.2-milestone-3, < 14.10.6	14.10.6
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 15.0-rc-0, < 15.1-rc-1	15.1-rc-1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper output encoding in error messages displayed during attachment deletion. The commit diff shows the fix added XMLUtils.escape() to the localizePlainOrKey method, which handles translation strings. This indicates the function previously returned raw user-controlled attachment names without sanitization. The XSS occurs when these names are reflected in error messages (e.g., 'Failed to delete attachment [name]') without proper escaping. The test case added in AttachmentIT.java with an '<img>' payload confirms the attack vector involved attachment name injection in delattachment action responses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-35157: XWiki Platform vulnerable to reflected cross-site scripting via delattachment action

Impact

Patches

Workarounds

References

For more information

CVE-2023-35157:

8.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

8.5

8.5

CVE-2023-35157: XWiki Platform vulnerable to reflected cross-site scripting via delattachment action

Impact

Patches

Workarounds

References

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI