CVE-2023-29206: org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
Impact
There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights.
Patches
This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right.
Workarounds
The only known workaround consists in applying the following patch and rebuilding and redeploying xwiki-platform-skin-skinx.
References
- https://jira.xwiki.org/browse/XWIKI-19514
- https://jira.xwiki.org/browse/XWIKI-9119
- https://jira.xwiki.org/browse/XWIKI-19583
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at Security ML
References
Code Behaviors & Features
Detect and mitigate CVE-2023-29206 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →