CVE-2023-45134: XWiki Platform XSS vulnerability from account in the create page form via template provider
9.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.89009%
CWE
Published
10/25/2023
Updated
11/3/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-web-templates | maven | < 14.10.12 | 14.10.12 |
| org.xwiki.platform:xwiki-platform-web-templates | maven | >= 15.0-rc-1, < 15.5-rc-1 | 15.5-rc-1 |
| org.xwiki.platform:xwiki-web-standard | maven | >= 2.4-milestone-2, < 3.1-milestone-1 | 3.1-milestone-1 |
| org.xwiki.platform:xwiki-platform-web | maven | >= 3.1-milestone-1, < 13.4-rc-1 | 13.4-rc-1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped Velocity template outputs in createinline.vm. The commit diff shows the addition of $escapetool.xml() wrappers around services.localization.render() calls that previously output attacker-controlled values like $templateProvider and $allowedSpaces.toString(). These values were derived from user-configured template providers and could contain XSS payloads. The lack of escaping in the original implementation allowed HTML/JS injection when rendering error messages during document creation.