CVE-2023-29508 – org.xwiki.platform:xwiki-platform-livedata-macro

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-livedata-macro
Vulnerable Version: >=13.10.10 <13.10.11 || >=14.4 <14.4.7 || >=14.9 <14.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00524 pctl0.66024

Details

org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting ### Impact A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. For instance, by adding the LiveData below in the about section of the profile of a user created by an admin. ```javascript {{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}} ``` ### Patches This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. ### Workarounds No known workaround. ### References - https://jira.xwiki.org/browse/XWIKI-20312 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org/) * Email us at [Security ML](mailto:security@xwiki.org)

Metadata

Created: 2023-04-12T20:36:36Z
Modified: 2025-02-06T20:02:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-hmm7-6ph9-8jf2/GHSA-hmm7-6ph9-8jf2.json
CWE IDs: ["CWE-79", "CWE-80"]
Alternative ID: GHSA-hmm7-6ph9-8jf2
Finding: F425
Auto approve: 1