CVE-2023-35159: XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in deletespace template
9.7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.86858%
CWE
Published
6/22/2023
Updated
11/12/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-web-templates | maven | >= 3.4-milestone-1, < 14.10.5 | 14.10.5 |
| org.xwiki.platform:xwiki-platform-web-templates | maven | >= 15.0-rc-1, < 15.1-rc-1 | 15.1-rc-1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the deletespace.vm template directly using the xredirect parameter value in a URL context without proper sanitization. The commit diff shows the patched version replaces the unsafe assignment with #getSanitizedURLAttributeValue, a macro introduced to validate URLs. The unpatched code's line '#set ($cancelURL = $request.xredirect)' allowed arbitrary JavaScript execution when the parameter value started with 'javascript:'. This matches the XSS pattern described in CWE-79 and CWE-87.