Login Sign Up

CVE-2023-29201

9.0 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability allows cross-site scripting (XSS) attacks in XWiki Commons' HTML cleaner restricted mode, which insufficiently filtered dangerous HTML elements and attributes. When exploited, it enables JavaScript injection that can lead to server-side code execution with programming rights if a privileged user views malicious content. All XWiki instances using affected versions are vulnerable.

💻 Affected Systems

Products:
  • XWiki Commons
  • XWiki Platform
Versions: 4.2-milestone-1 through 14.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any XWiki installation using HTML cleaner in restricted mode is vulnerable. The vulnerability affects the core libraries used by multiple XWiki projects.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of XWiki instance with programming rights leading to data theft, content manipulation, and complete system takeover.

🟠

Likely Case

Privileged user executes malicious JavaScript leading to session hijacking, data exfiltration, or unauthorized content modifications.

🟢

If Mitigated

Limited impact with proper user privilege separation and external WAF filtering, though XSS vectors remain.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a privileged user with programming rights to view malicious content. The XSS vulnerability is straightforward to exploit once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.6 RC1 and later

Vendor Advisory: https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j

Restart Required: Yes

Instructions:

1. Backup your XWiki instance. 2. Upgrade to XWiki 14.6 RC1 or later. 3. Restart the XWiki application server. 4. Verify the fix by checking version and testing HTML sanitization.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds apart from upgrading.

🧯 If You Can't Patch

  • Restrict programming rights to minimal trusted users only
  • Implement external WAF with XSS filtering rules

🔍 How to Verify

Check if Vulnerable:

Check XWiki version: if between 4.2-milestone-1 and 14.5, you are vulnerable. Review if HTML cleaner restricted mode is used in custom applications.

Check Version:

Check XWiki administration panel or view xwiki.properties file for version information.

Verify Fix Applied:

After upgrade, verify version is 14.6 RC1 or later. Test HTML sanitization with known XSS payloads in restricted mode.

📡 Detection & Monitoring

Log Indicators:

  • Unusual JavaScript execution in privileged user sessions
  • HTML content with suspicious attributes like onload, onerror, or iframe tags

Network Indicators:

  • Outbound connections to suspicious domains from XWiki server
  • Unexpected POST requests with encoded HTML payloads

SIEM Query:

source="xwiki.log" AND ("<iframe" OR "javascript:" OR "onload=" OR "onerror=")

📊 Metadata

CVE ID: CVE-2023-29201
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: April 15, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29201, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)