Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GHSA-6gf5-c898-7rxp

GitHub Security Advisory

Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

✓ GitHub Reviewed CRITICAL Has CVE

Advisory Details

### Impact

HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax.

### Patches
This has been patched in XWiki 14.6 RC1.

### Workarounds
There are no known workarounds apart from upgrading to a fixed version.

### References
* https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1
* https://jira.xwiki.org/browse/XRENDERING-663

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.rendering:xwiki-rendering-syntax-xhtml

Affected versions: 0 (fixed in 14.6-rc-1)

Maven org.xwiki.platform:xwiki-core-rendering-api

Affected versions: 0 (last affected: 3.0-milestone-2)

Maven org.xwiki.rendering:xwiki-rendering-syntax-html

Affected versions: 0 (fixed in 14.6-rc-1)

Maven org.xwiki.rendering:xwiki-rendering-syntax-html5

Affected versions: 0 (fixed in 14.6-rc-1)

Maven org.xwiki.rendering:xwiki-rendering-syntax-annotatedxhtml

Affected versions: 0 (fixed in 14.6-rc-1)

Maven org.xwiki.rendering:xwiki-rendering-syntax-annotatedhtml5

Affected versions: 0 (fixed in 14.6-rc-1)

Maven org.xwiki.platform:xwiki-platform-annotation-core

Affected versions: 0 (fixed in 14.6-rc-1)

Related CVEs

CVE-2023-32070

Key Information

GHSA ID

GHSA-6gf5-c898-7rxp

Published

May 11, 2023 8:37 PM

Last Modified

May 11, 2023 8:37 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.rendering:xwiki-rendering-syntax-xhtml

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.