CVE-2026-40105
MEDIUM6.1EPSS 0.74%XWiki has Reflected Cross-Site Scripting (XSS) in page history compare
描述
### Impact A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance. ### Patches The problem has been patched by properly escaping the URL parameters. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c#diff-a5e75a4e3820a63c02a32666dda67c73ee7885ab8e7f67e52cfcb3be5a13326e) can be applied manually to `templates/changesdoc.vm` in the deployed WAR. ### Attribution XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.
受影響套件(1)
- Maven/org.xwiki.platform:xwiki-platform-web-templates>= 10.4-rc-1, < 16.10.16
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40105
- PATCHhttps://github.com/xwiki/xwiki-platform
- WEBhttps://github.com/xwiki/xwiki-platform/commit/3c8a2ec985641367015c2db937574fcd360c788c
- WEBhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w4fj-87j5-f25c
- WEBhttps://jira.xwiki.org/browse/XWIKI-23472