CVE-2023-29506: org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints

April 12, 2023

It was possible to inject some code using the URL of authenticate endpoints, e.g. https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword

References

github.com/advisories/GHSA-jjm5-5v9v-7hx2
github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380
github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2
jira.xwiki.org/browse/XWIKI-20335

Code Behaviors & Features

Detect and mitigate CVE-2023-29506 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →