Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-cmvg-w72j-7phx

GitHub Security Advisory

org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

### Impact

There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights.

### Patches

This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right.

### Workarounds

The only known workaround consists in applying [the following patch](https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb) and rebuilding and redeploying `xwiki-platform-skin-skinx`.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](http://jira.xwiki.org)
* Email us at [Security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-skin-skinx
Affected versions: 3.0-milestone-1 (fixed in 14.9-rc-1)

Related CVEs

CVE-2023-29206

Key Information

GHSA ID
GHSA-cmvg-w72j-7phx
Published
April 12, 2023 8:38 PM
Last Modified
April 26, 2023 10:16 PM
CVSS Score
9.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-skin-skinx
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 23, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.