{"id":"CVE-2023-26480","summary":"XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data","details":"XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.\n","aliases":["GHSA-32fq-m2q5-h83g"],"modified":"2026-04-10T04:56:23.790266Z","published":"2023-03-02T17:09:18.909Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26480.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://jira.xwiki.org/browse/XWIKI-20143"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26480.json"},{"type":"ADVISORY","url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26480"},{"type":"FIX","url":"https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79"},{"type":"FIX","url":"https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"612251661a3a45798f307c1d3eafd3b269730a8d"},{"fixed":"61a67f5cf241df692779d77367168e0762119091"}],"database_specific":{"versions":[{"introduced":"12.10"},{"fixed":"13.10.10"}]}},{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"d971304b0e0bf4f6dad278de89518edc17459741"},{"fixed":"962ee4ac0352ab1a89cc779c29e81b0674d0203e"}],"database_specific":{"versions":[{"introduced":"14.0"},{"fixed":"14.4.7"}]}},{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"ab4dfeaeef13360eebcaa507bc652073aa89a427"},{"fixed":"101becab4069ae9ccdc8c2f2c4edc562645e152b"}],"database_specific":{"versions":[{"introduced":"14.5"},{"fixed":"14.9"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26480.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"}]}