Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-phwm-87rg-27qq

GitHub Security Advisory

XWiki Platform vulnerable to reflected cross-site scripting via delattachment action

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name.
Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token.

### Patches

The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6.

### Workarounds

There's no workaround for this other than upgrading XWiki.

### References

* Jira ticket: https://jira.xwiki.org/browse/XWIKI-20339
* Commit containing the fix: https://github.com/xwiki/xwiki-platform/commit/35e9073ffec567861e0abeea072bd97921a3decf

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-oldcore
Affected versions: 3.2-milestone-3 (fixed in 14.10.6)
Maven org.xwiki.platform:xwiki-platform-oldcore
Affected versions: 15.0-rc-0 (fixed in 15.1-rc-1)

Related CVEs

CVE-2023-35157

Key Information

GHSA ID
GHSA-phwm-87rg-27qq
Published
June 22, 2023 7:59 PM
Last Modified
June 22, 2023 7:59 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-oldcore
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 23, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.