GHSA-jjm5-5v9v-7hx2

GitHub Security Advisory

org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints

✓ GitHub Reviewed MODERATE Has CVE

View on GitHub

Advisory Details

### Impact

It was possible to inject some code using the URL of authenticate endpoints, e.g.:

```
https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword
```

This vulnerability was present in recent versions of XWiki:
- 13.10.8+
- 14.4.3+
- 14.6+

### Patches

This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.

### Workarounds
There is no easy workaround except to upgrade.

### References

- https://jira.xwiki.org/browse/XWIKI-20335
- https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](https://jira.xwiki.org)
* Email us at [security mailing-list](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-security-authentication-default

Affected versions: 13.10.8 (fixed in 13.10.11)

Maven org.xwiki.platform:xwiki-platform-security-authentication-default

Affected versions: 14.4.3 (fixed in 14.4.7)

Maven org.xwiki.platform:xwiki-platform-security-authentication-default

Affected versions: 14.6 (fixed in 14.10)

Related CVEs

CVE-2023-29506

Key Information

GHSA ID

GHSA-jjm5-5v9v-7hx2

Published

April 12, 2023 8:36 PM

Last Modified

April 26, 2023 8:33 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-security-authentication-default

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 23, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.