XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6.
History

Wed, 27 Nov 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-23T18:22:54.954Z

Updated: 2024-11-27T20:10:32.697Z

Reserved: 2023-06-14T14:17:52.178Z

Link: CVE-2023-35157

cve-icon Vulnrichment

Updated: 2024-08-02T16:23:59.439Z

cve-icon NVD

Status : Modified

Published: 2023-06-23T19:15:09.343

Modified: 2024-11-21T08:08:03.367

Link: CVE-2023-35157

cve-icon Redhat

No data.