CVE-2023-45144

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-45144
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45144.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-45144
Aliases
Published
2023-10-16T20:32:50Z
Modified
2025-11-04T20:14:53.357356Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Remote code execution from login screen through unescaped URL parameter in OAuth Identity XWiki App
Details

com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade.

Database specific 
{
    "cwe_ids": [
        "CWE-79",
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/xwikisas/identity-oauth

Affected ranges

Type
GIT
Repo
https://github.com/xwikisas/identity-oauth
Events
Introduced
6b3f360123714f995d156ef368262de8bc3a1353
Fixed
f41901c5a01e00f9099dda289dfe79d17aa37ba7

Affected versions

identity-oauth-1.*

identity-oauth-1.2
identity-oauth-1.4
identity-oauth-1.5
identity-oauth-1.5.1
identity-oauth-1.5.2
identity-oauth-1.5.3

identity-oauth-parent-1.*

identity-oauth-parent-1.0
identity-oauth-parent-1.1
identity-oauth-parent-1.1.1
identity-oauth-parent-1.1.2
identity-oauth-parent-1.3
identity-oauth-parent-1.4-rc1
identity-oauth-parent-1.4.1