XWiki Platform Users Beware of Script Injection Vulnerability

CVECVE-2023-32071
CVSScvssV3_1: 9.1
SourceCVE-2023-32071

XWiki Platform is an open source wiki software that allows users to easily share and collaborate on information. Unfortunately, some older versions of XWiki Platform were affected by a script injection vulnerability that could allow attackers to execute malicious JavaScript code with the privileges of any user.

The vulnerability was present in XWiki versions 2.2 up to 14.4.7, 14.10.3 and earlier, and 15.0 RC1. It could be exploited by tricking a user into visiting a specially crafted URL on a vulnerable XWiki instance. This URL would target a wiki page containing a malicious attachment that contains JavaScript code. When accessed, this code would then run with the permissions of the victim user.

To protect yourself, users should upgrade their XWiki Platform installation to the latest versions – 14.4.8, 14.10.4 or 15.0 RC1 which contain patches for this issue. You can also edit the importinline.vm template file to disable inline JavaScript as described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01.

Always keep your software up-to-date and be wary of unsolicited links or attachments even from sites you trust. Taking some basic precautions can help prevent attackers from exploiting known vulnerabilities and compromising your data or accounts.

References