Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vxf7-mx22-jr24

GitHub Security Advisory

org.xwiki.platform:xwiki-platform-rendering-xwiki vulnerable to stored cross-site scripting via HTML and raw macro

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

### Impact

The HTML macro does not systematically perform a proper neutralization of script-related html tags. As a result, any user able to use the html macro in XWiki, is able to introduce an XSS attack. This can be particularly dangerous since in a standard wiki, any user is able to use the html macro directly in their own user profile page.

### Patches

The problem has been patched in XWiki 14.8RC1. The patch involve that the HTML macro are systematically cleaned up whenever the user does not have script right.

### Workarounds

There's no workaround for this issue.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](https://jira.xwiki.org)
* Email us at [security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-rendering-xwiki
Affected versions: 0 (fixed in 14.8-rc-1)

Related CVEs

CVE-2023-29205

Key Information

GHSA ID
GHSA-vxf7-mx22-jr24
Published
April 12, 2023 8:38 PM
Last Modified
April 26, 2023 10:17 PM
CVSS Score
9.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-rendering-xwiki
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 23, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.