XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data

Impact

A user without script rights can introduce a stored XSS by using the Live Data macro.

For instance:

{{liveData id="movies" properties="title,description"}}
{
  "data": {
    "count": 1,
    "entries": [
      {
        "title": "Meet John Doe",
        "url": "https://www.imdb.com/title/tt0033891/",
        "description": "<img onerror='alert(1)' src='foo' />"
      }
    ]
  },
  "meta": {
    "propertyDescriptors": [
      {
        "id": "title",
        "name": "Title",
        "visible": true,
        "displayer": {"id": "link", "propertyHref": "url"}
      },
      {
        "id": "description",
        "name": "Description",
        "visible": true,
        "displayer": "html"
      }
    ]
  }
}
{{/liveData}}

Patches

This has been patched in XWiki 14.9, 14.4.7, and 13.10.10.

Workarounds

No known workaround.

References

https://jira.xwiki.org/browse/XWIKI-20143

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira
Email us at Security ML

References

manuelleduc published to xwiki/xwiki-platform Mar 1, 2023

Published by the National Vulnerability Database Mar 2, 2023

Published to the GitHub Advisory Database Mar 3, 2023

Reviewed Mar 3, 2023

Last updated Mar 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code