{"id":"CVE-2023-35155","summary":"XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email","details":"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser: `\u003cxwiki-host\u003e/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.`, where `\u003cxwiki-host\u003e` is the URL of your XWiki installation. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8.\n","aliases":["GHSA-fwwj-wg89-7h4c"],"modified":"2026-03-20T12:21:04.031271Z","published":"2023-06-23T18:15:05.289Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35155.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://jira.xwiki.org/browse/XWIKI-20370"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/35xxx/CVE-2023-35155.json"},{"type":"ADVISORY","url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fwwj-wg89-7h4c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-35155"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"e4f133a1bbef25becfbf8182cffa883995565306"},{"fixed":"b469b950e7fe3d22f00b639d43f286bf871472b1"}],"database_specific":{"versions":[{"introduced":"2.6-rc-2"},{"fixed":"14.4.8"}]}},{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"ab4dfeaeef13360eebcaa507bc652073aa89a427"},{"fixed":"c127075e7814ef7cd164bb6493d67b1943b6db1e"}],"database_specific":{"versions":[{"introduced":"14.5"},{"fixed":"14.10.4"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-35155.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L"}]}