.. / CVE-2023-35162

Exploit for XWiki < 14.10.5 - Cross-Site Scripting (CVE-2023-35162)

Description:

XWiki Platform is vulnerable to reflected XSS via the previewactions template. An attacker can inject JavaScript through the xcontinue parameter.

Nuclei Template

View the template here CVE-2023-35162.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-35162.yaml
Copy

References:

https://jira.xwiki.org/browse/XWIKI-20342
https://nvd.nist.gov/vuln/detail/CVE-2023-35162
https://github.com/xwiki/xwiki-platform/blob/244dbbaa0738a0c40b19929c0369c8b62ae5236e/xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/previewactions.vm#L48