CVE-2023-37908

Summary

CVE-2023-37908 is a cross-site scripting (XSS) vulnerability affecting XWiki Rendering, a system used to convert textual input into another syntax. The issue was introduced in version 14.6-rc-1 and arises from the lack of cleaning and validation of attributes during XHTML rendering. This vulnerability allows the injection of arbitrary HTML code, which can be exploited via malicious links in content that supports XWiki syntax. If the user moves their mouse over a malicious link, the associated malicious JavaScript code is executed in the user session. In the case of privileged users with programming rights, this can lead to server-side code execution, resulting in a serious impact on the XWiki instance's confidentiality, integrity, and availability. The vulnerability has been patched in XWiki versions 14.10.4 and 15.0 RC1 by removing unallowed characters and validating cleaned attributes. There are no known workarounds aside from upgrading to a patched version.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.