What is CVE-2023-37908?

CVE-2023-37908 is a critical-severity vulnerability in Xwiki Xwiki-rendering, classified under Improper Neutralization of Script in Attributes in a Web Page. CVSS score: 9.1/10. Published 2023-10-25.

How severe is CVE-2023-37908?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2023-37908 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Xwiki Xwiki-rendering

CVE-2023-37908

XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML co…

EPSS: 0.015 (81.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H.

Affected products

Xwiki Xwiki-rendering — versions >= 14.6-rc-1, < 14.10.4

Weakness classification (CWE)

CWE-83 — Improper Neutralization of Script in Attributes in a Web Page

Public proof-of-concept exploits

References

https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-663w-2xp3-5739 (x_refsource_CONFIRM)
https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp (x_refsource_MISC)
https://github.com/xwiki/xwiki-rendering/commit/f4d5acac451dccaf276e69f0b49b72221eef5d2f (x_refsource_MISC)
https://jira.xwiki.org/browse/XRENDERING-697 (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-37908?: CVE-2023-37908 is a critical-severity vulnerability in Xwiki Xwiki-rendering, classified under Improper Neutralization of Script in Attributes in a Web Page. CVSS score: 9.1/10. Published 2023-10-25.
How severe is CVE-2023-37908?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2023-37908 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.