CVE-2023-29206
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-29206
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-29206.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-29206
- Aliases
- Published
- 2023-04-15T15:41:56Z
- Modified
- 2025-10-22T18:37:22.937222Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
- Details
-
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.
- Database specific
{ "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-commons
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"digest": {
"function_hash": "34130194684561422720238525547282185433",
"length": 325.0
},
"deprecated": false,
"id": "CVE-2023-29206-102902e9",
"target": {
"function": "hasPageExtensions",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractDocumentSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "22913090787788648062999852170024288018",
"length": 286.0
},
"deprecated": false,
"id": "CVE-2023-29206-3f244ceb",
"target": {
"function": "getAlwaysUsedExtensions",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractDocumentSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"258591366146419889206158727159062211220",
"55253143703940520598936916401962713999",
"81553565068629671485548109639071481834",
"305992418669523286337065897663886684290",
"319254241365268673424377021821081876880",
"27044529665928894512575116993978731568",
"45796043505303130559243164945712893576",
"114857434361542147987586766733999440674",
"135759542282294651096524243455861676266",
"195318177868754471901069891755613418178",
"167796781257905992272668365836616999370",
"275120978182572399644960005712266652958",
"308953361840374646097579181611948690418",
"53722778497500196174724352380996429547",
"269241876773929186010498355285617637759",
"81942517613037822458524896472728910842",
"205286114427655690390324093691450111789",
"263804952151538571322656757850584137726",
"334075364083788074796887114603265945297",
"124083214872777752701250580544837748874",
"326095370084533313635855696264551866137",
"139760322372840010083719929531918566272",
"288304512056465520784668611210502563846",
"51097667154291679007930988636412515800",
"280025753739297294205477355978506741824",
"146696932511060761819755531184418675322",
"96518688010714034148324822869233400340",
"114500910749756958506902644916552006925",
"100443930692150916036763561903028669843",
"88080358427788570845526682805482641974",
"223806271234802523021061016499458327744",
"108587633537507210242609878158511307392",
"57490732930375990011651764738612837592",
"208425752793994609562749287623506934053",
"9569286922389754344431400768044722326",
"234867456827963408314829715599742868609",
"73941495487685912561808776339084606125",
"89686976386905359160902366495679439995",
"259838011127261728678523390751817422239",
"315678609982251785319114951047508274994",
"191310203375526775776172311574638547729",
"195299745466120622145819947193178355690",
"334927815293158936358644741193001820701",
"111976363091044315249957285253106083892",
"339714735094650575291227574889540003456",
"232511614165435602645525268429512310273",
"174982043977539907991284660878953259542",
"27324504886623735116173105899141909676",
"75705873815691461903802696250684068252",
"305265591451157897995586513738288089289",
"259846087370414996153919760686466602824",
"335835861565256469706206081363422249760",
"17606765014698351965099192015205083624",
"48120282143014015569657105258084894057",
"205170156965774658125893533917388190807",
"23279431694719736153288240454481521752",
"128079460646868496254038745598303003489",
"274068016961227684837027678269141869940"
]
},
"deprecated": false,
"id": "CVE-2023-29206-49e8bdf5",
"target": {
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractDocumentSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"167924906780490904393653462888618156904",
"125346749942963821915815921605471538551",
"162355610890812995784632803752469582389",
"203797702497711822861296361476684592966",
"333597424449134844226795850243577405126",
"34959719472292593201383430834332067638",
"232509687406203477513182138184669651008",
"254600042980048757636191817796506975352",
"149502178577958408496228299356901479591",
"296972907552023361711671848199537526852"
]
},
"deprecated": false,
"id": "CVE-2023-29206-5d5523b2",
"target": {
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "15604921650610682951060699155106223329",
"length": 138.0
},
"deprecated": false,
"id": "CVE-2023-29206-6111b431",
"target": {
"function": "use",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractDocumentSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "153578121726839086529052392341481848536",
"length": 116.0
},
"deprecated": false,
"id": "CVE-2023-29206-70330aa7",
"target": {
"function": "use",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractDocumentSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "80959955570241068697729842059567697073",
"length": 200.0
},
"deprecated": false,
"id": "CVE-2023-29206-825ec785",
"target": {
"function": "use",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "238327001963237177419880671962509200818",
"length": 1185.0
},
"deprecated": false,
"id": "CVE-2023-29206-ae9f35ad",
"target": {
"function": "getAlwaysUsedExtensions",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractDocumentSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"67701809456834396282246651726416896194",
"161968046072189245448101997570528539300",
"267745403428340098294212673995108313276",
"88922649415241694560958766890257652072",
"215199599641425334939347173697192403906",
"251816856439883356466173850753899216315",
"180835086245262716847220697238796139894",
"222230847715378379706470041518623815940",
"257987567835481188112663690216475254695",
"261245345691381057503328965177204350171",
"181942569320872967355332301205254751897",
"93703730281610869490087225108052973983",
"133227852277996726066361564104283009331",
"235233401185109252730570513243029616710",
"288699976402697928349316209642388457386",
"250683676244268006816269585181513807197",
"312322903517384688385118734893774379813",
"293981613254798979602868487989761452856",
"45295025453298061689310362017694295987",
"324070266862620466726672487897925045310",
"121577626445088978870982290927182863029",
"324683681735381172858676980346350090287",
"5964161059443052022208939074068650467",
"135227408933358656864074644345510170395",
"95661232773126075527590395487062607755",
"303706148233587193012033116419863341729",
"117300685572752769542511110121866276822",
"128792738898456572968375299622360385434",
"154522757756529559348473247407034679377",
"52758879390681936127233898349620383981",
"57317596374639485037420886343284368097",
"81838113461885731059446907931868126693",
"157283465210799797651629080374791798916",
"195673005569089704039831203580537715768",
"330957745634250737856992015742326434695",
"244235725604222535889895387186310065562",
"26160894708386283592656820989449423987",
"178789280077436593173521927759755944861",
"79046921760148655709774918321529977426",
"100861603554228409882159718921818301507",
"52916774534838419835240781500081847757",
"96851037667423234843549396074901412780",
"104552772648889708207420338919051602860",
"197572982196027285698140601212269182389",
"302751825548929263915303279268837320468"
]
},
"deprecated": false,
"id": "CVE-2023-29206-c080dfe8",
"target": {
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/test/java/com/xpn/xwiki/plugin/skinx/CssSkinExtensionPluginTest.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "96664526288035141765021236868698252275",
"length": 843.0
},
"deprecated": false,
"id": "CVE-2023-29206-d44f3b7d",
"target": {
"function": "setup",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/test/java/com/xpn/xwiki/plugin/skinx/CssSkinExtensionPluginTest.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "209542863340416741004289663131303904239",
"length": 599.0
},
"deprecated": false,
"id": "CVE-2023-29206-d4fd71d8",
"target": {
"function": "onDocumentEvent",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractDocumentSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "20258489528944856041731284726956845050",
"length": 177.0
},
"deprecated": false,
"id": "CVE-2023-29206-e4632b1f",
"target": {
"function": "use",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
},
{
"signature_type": "Function",
"digest": {
"function_hash": "315320403352193462663023259991423946558",
"length": 341.0
},
"deprecated": false,
"id": "CVE-2023-29206-e85f4d18",
"target": {
"function": "getCanonicalDocumentName",
"file": "xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/com/xpn/xwiki/plugin/skinx/AbstractDocumentSkinExtensionPlugin.java"
},
"source": "https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb",
"signature_version": "v1"
}
]