CVE-2023-26480
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-26480
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26480.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-26480
- Aliases
- Published
- 2023-03-02T17:09:18.909Z
- Modified
- 2025-12-12T14:53:17.652789Z
- Severity
-
- 8.9 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
- Summary
- XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data
- Details
-
XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26480.json", "cwe_ids": [ "CWE-79" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26480.json
- https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79
- https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
- https://jira.xwiki.org/browse/XWIKI-20143
- https://nvd.nist.gov/vuln/detail/CVE-2023-26480
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1
Database specific
vanir_signatures
[
{
"digest": {
"length": 755.0,
"function_hash": "119728896860419731198686025010029683133"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-26480-14c7d6b1",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-livedata/xwiki-platform-livedata-macro/src/main/java/org/xwiki/livedata/internal/macro/LiveDataMacro.java",
"function": "execute"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028"
},
{
"digest": {
"length": 344.0,
"function_hash": "245179835786299936198890305743241755274"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-26480-1564cc02",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-livedata/xwiki-platform-livedata-macro/src/test/java/org/xwiki/livedata/internal/macro/LiveDataMacroTest.java",
"function": "executeWithoutParams"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028"
},
{
"digest": {
"length": 485.0,
"function_hash": "198467570523464788397377616871091765227"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-26480-6f59545b",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-livedata/xwiki-platform-livedata-macro/src/main/java/org/xwiki/livedata/internal/macro/LiveDataMacro.java",
"function": "getQuery"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028"
},
{
"digest": {
"length": 2394.0,
"function_hash": "48923890358733297894163999071445692381"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-26480-7c3ed4c1",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-livedata/xwiki-platform-livedata-macro/src/test/java/org/xwiki/livedata/internal/macro/LiveDataMacroTest.java",
"function": "execute"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028"
},
{
"digest": {
"length": 1936.0,
"function_hash": "25225102450565286201420038953954087186"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-26480-7e721fa4",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-livedata/xwiki-platform-livedata-macro/src/test/java/org/xwiki/livedata/internal/macro/LiveDataMacroTest.java",
"function": "executeWithContent"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"177753491743340591061189512884154889289",
"77635548860631999934637655171044287927",
"313734818734728903785484697901684446445",
"111477877255939377377583823070593127477"
]
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-26480-85ac4397",
"signature_type": "Line",
"target": {
"file": "xwiki-platform-core/xwiki-platform-livedata/xwiki-platform-livedata-macro/src/test/java/org/xwiki/livedata/internal/macro/LiveDataMacroComponentList.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"93427145748855349394778628652839775557",
"300719156550076784905838494429560434798",
"241024583779973563034494364894023098579",
"285113546688323215093593513384457608701",
"70551435315076573156395960797238305539",
"325827501561699154600944597266355998375",
"289687041868015069604367028275538086720",
"303121460541071727436451822078879687976",
"199868511596080579928937711149151975004",
"281752992185721060957289242534259486416",
"232031984576441847693983056478750143818",
"286239306366816474840472291885447178000",
"161529508045507374231580542923282819301",
"165136088221509654545587032232787771581",
"32578134938942949356161331650442931860",
"196951385190035015270253597303326212961",
"160126300721259239495779413150383437815",
"60228002092591269832099700920738383435",
"51227002850104861077763316619231015851",
"20628251612861619337317376121148340391",
"114670188803812224602699403074351184376",
"257750864109828328688618950197044074349",
"97065540622159390965840282841814522646",
"246128002282652908188512248108031913325",
"22824726990889835257466266473937770330",
"114670188803812224602699403074351184376",
"288094205597832874703058317095518165114",
"162010279166634143259076291591226318249",
"257605686603910265817773432727078847807"
]
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-26480-d6f7686f",
"signature_type": "Line",
"target": {
"file": "xwiki-platform-core/xwiki-platform-livedata/xwiki-platform-livedata-macro/src/test/java/org/xwiki/livedata/internal/macro/LiveDataMacroTest.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"229708932420435599542568033935538858910",
"215091296020298469228755708467284453220",
"308740110973724237459580577267346865528",
"22382159681978471364808851742606998991",
"85958434038394528563344181650085846055",
"319687027807079032258896528549610838063",
"73034259330020920525244508331469032999",
"302730040717498156458219075032786518592",
"270762282257999544326971551987663962838",
"234926049215228884858966815388579155446",
"162432348981752138687664503017047468641",
"270694283436580175277991506986260752923",
"105360672730591793887952496030947635673",
"198990054330709538919336490702613828638",
"24662434259773006550961074685083382426",
"186028306471762384511985979638050873669",
"269325605056090271243206242081117934003",
"126414392192402342863466041838955486516",
"83865817599116478696806679444823129961",
"194680742102579679937392232124702319701",
"52006991050388019760976967722154368699",
"115381126107925246945947559529216950559",
"43736802622753432839021575448733294998",
"93856727147931433233361374826765129400",
"9655490176378907651232665094575941757",
"74882572413781267280244753528396762655",
"139472227490000126862255767723873772569",
"123492599170953830573525287921742424357",
"162141387759726498494829307145229797692",
"76625776561911641021793617136248257868",
"81801003321634006820629039194636119549",
"125361029086110794903512357209107958345",
"271223256478295728094032785214891118123",
"167010533419407234481389781934447338685",
"241437890073431364849262409820466362557",
"1563910109394400222450085350799350640",
"287409094021412614454834972028132347495",
"189690166300894937367368680306969410596",
"226130203030890597837327257106915890096",
"152499201192087079860021199151672708663",
"297375298712029899766786701097823888154",
"275942507927558608884548555871137282960",
"17352392041957385233313353173453662087",
"113218397758547089641741693980442851076",
"110109772695589021338803231561019284444",
"87524578357706836417856584228274444173",
"31808911369556744265010803592133597515",
"53806554116443408581896140808423161717",
"328844027155793964840905105060728284964",
"267849111458618807301167540993553227045",
"157109456808288222255947970686383145002",
"240888905173462427989004585499957832012",
"278844228631261072057623496270188921527",
"52617883230708651926786549993665899145",
"57541062617009731874950717912244301138",
"222003965734228941839486180474826856643",
"228804048022794819565394689439025914954",
"2076770719267672062461204818327920447",
"35736222368495572938822814884447295491",
"321052239721389877560749070242463615997",
"322008537956662153073461275839523016158",
"104795388639601943657010787789232132361",
"171325466837152056880698433706125729889",
"22391430796825989932232097109932856533",
"186444319410630037352534439219241550948",
"18691117772621952689618106436316040784",
"115011145756112669709675494498219936322",
"329605877932230391982475375105653438743",
"36633946205171121439359547368399152885",
"151559900623976301749751492050292241703",
"43956900065728388092185560221892178847",
"92292256643436244510666478110754806231",
"124955109898566823072323211949047357116",
"104515415823977632826531497433048210081",
"23709466868123435894019200066425251920",
"223282257932023624706598744008558164630",
"122999764834658414494711266194836929014",
"28649483718712722344048936986430904978",
"239545055556389384286817162448247063326",
"211467137401525394597132683786836696308",
"281132069270529941863826522582811590074",
"114944711895189377032657365490912747785",
"301200395077455725625085542903561994678",
"305876611110689372931313840618868075058",
"204829838970267849886133374179295099436",
"45418891266347309010742805845191041376",
"303950152490153594456491051130912983766",
"31532137281286839204919055655723693364",
"261717921722720105586840678774217978948",
"90437636454179197510192776965744742647",
"318228673320339062243979234496183697203",
"158477902474919815230448395261905752641",
"20429612996447436132884139968232577384",
"307419975119181918879132998287692428748",
"134691720788603286088230124997878334275",
"336382568955690116842147835923303974478",
"235771496883178109266095135099879996797",
"2048647431415862927850349308279721060",
"105262600897931321444668872629005469185",
"20477294332992572132366328722574019152",
"211807339385361593484963722558849033525",
"198064004270280526380935024129155633925",
"108028930040338831600886655989942251946",
"247969647075805452191943028204695200876",
"185481743549465435352636907075589785675",
"107345933630533721646883756646144450990",
"177223823288684866299410548355235209988",
"153662833638517971517900716624868488120",
"123082284366849833198635882330874061088",
"140542515023926220323252730910876445170",
"328016763046520185923727267191705113207",
"23101563537747290342926931729711212374",
"212787059834579277567784920720420524052",
"280064919480642523575197023451677707248",
"69681072160547252981836981096147841701",
"295759568754448779863734776496015116439",
"72914520462378325503630307174699404760",
"111755766557284687871783787773551070261",
"168960252894472916237150516129330851065",
"174278489243746923083613127161047839309",
"103971736362667462917747202500577323787",
"4838420532528731039059460127962432636",
"54280931001229142272713183574241856501",
"65233695726968504253015729048459177634",
"214600883036710087000637586485565286858",
"94714589871778442559470893886131852931",
"220902800977176733395436733879441396194",
"235659408948475265397821924542892418659",
"2774091735966804030102904590721244631",
"271981133661803392699564680287898735953",
"175015939763766495587439568576816422393",
"264745895329770819427923985024533444134",
"93148103715666642542555435561728491889",
"300998540745529976484818467053070942765",
"100350634592826672386364498546441131654",
"181498347065771978370905591959134948549",
"170540142373007242605006807212319010748",
"191263903778047208261557731184746152969",
"93021562015830042544809736546591478310",
"254308946465426498551638162687336430006",
"281013226140977728110563658757004957796",
"176809547217636703964535555480132161872",
"315065975956718663497212687246943366318",
"58391916847777617826986472794144234650",
"196418294927109547603915864206967826066",
"50653037696351130085157179256475654086",
"328642298164457742706702513046452144499",
"55069984506706501714899109495733512575",
"145131137675791967651880448371835376293",
"258061418247160051371076155013321111485",
"330869101241116758595557908638604343213",
"337277630375755099987281553507393699783",
"157253757988803815860287917384458018551",
"157438635386300660374888708799474138810",
"303076672224493490669832325468580332292",
"183145798237008004173500811063918200577",
"119139786976589741814553664253748270343",
"61839058594894801175211735392992633880",
"327828391403473782106951646173288737890",
"139130179969791009201387282609254913252",
"120420073871981193939375125331019072341",
"322837564405871569939701275675002105614",
"141583552470242947653583226374690927262",
"273812555209495686128806567152675382203",
"310264989455676652492752228952540696124",
"134705509653628074412855084290933968466",
"189761357139249655315933355626640633279",
"327075617326403500639095078038904923602",
"30499767256377043108908379798478073397",
"221980376115714836180041570394786208678",
"197248511767195706318841200504681248445",
"170721403821119784603154740107176996380",
"67700547753824606948678277805743372964",
"318949701020550001126742333767749057294",
"141884615103131808949424400095886144859",
"151848037655705413947366943476523958184",
"208798800266544347046214078547645014630",
"321821084845182416846313133271360580305",
"15106643415048099911083526353158541309",
"108220242897661825489827906691947619198",
"205996928375847922278233648684186547447",
"152161881460003940432537487035391832450",
"267438013610812624062928239246620446191",
"148711589935016070914632826127243835824",
"239191968660343187122413811852873376629",
"78226959706478037196926827574342137011"
]
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-26480-dd17cbf0",
"signature_type": "Line",
"target": {
"file": "xwiki-platform-core/xwiki-platform-livedata/xwiki-platform-livedata-macro/src/main/java/org/xwiki/livedata/internal/macro/LiveDataMacro.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028"
}
]