Home > Vulnerability Database > CVE-2023-31126

Mend.io Vulnerability Database

CVE-2023-31126

Good to know:

Date: May 9, 2023

`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix.

Language: Java

Severity Score

9.0

Related Resources (6)

Url: https://github.com/xwiki/xwiki-commons

Url: https://jira.xwiki.org/browse/XCOMMONS-2606

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-31126

Url: https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68

Url: https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxv

Url: https://www.mend.io/vulnerability-database/CVE-2023-31126

Severity Score

9.0

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Improper Neutralization of Invalid Characters in Identifiers in Web Pages

CWE-86

Top Fix

Upgrade Version

Upgrade to version org.xwiki.commons:xwiki-commons-xml:14.10.4,15.0

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-31126

Good to know:

Date: May 9, 2023

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?