SCA: security update for org.xwiki.platform:xwiki-platform-web, org.xwiki.platform:xwiki-platform-web-templates (GHSA-fp7h-f9f5-x4q7)

medium Tenable Cloud Security Plugin ID 414605

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.
Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-
platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-
web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-
site scripting attack. The attack occurs by putting plain HTML code into that document and then tricking
another user to visit that document with the `displaycontent` or `rendercontent` template and plain output
syntax. If a user with programming rights is tricked into visiting such a URL, arbitrary actions be
performed with this user's rights, impacting the confidentiality, integrity, and availability of the whole
XWiki installation. This has been patched in XWiki 14.4.8, 14.10.5 and 15.1RC1 by setting the content type
of the response to plain text when the output syntax is not an HTML syntax. (CVE-2023-34464)

See Also

https://github.com/advisories/GHSA-fp7h-f9f5-x4q7

Plugin Details

Severity: Medium

ID: 414605

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-34464

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/20/2023

Vulnerability Publication Date: 6/20/2023

Reference Information

CVE: CVE-2023-34464

cwe: CWE-79