Xwiki-platform - XSS (CVE-2023-46732)
33Exploiting IPs reported
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to reflected cross-site scripting (RXSS) via the `rev` parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.6 RC1, 15.5.1 and 14.10.14. The patch in commit `04e325d57` can be manually applied without upgrading (or restarting) the instance. Users are advised to upgrade or to manually apply the patch. There are no known workarounds for this vulnerability.
CrowdSec analysis
CVE-2023-46732 is a critical vulnerability affecting XWiki Platform, allowing for reflected cross-site scripting (RXSS) via improper handling of a query parameter in wiki page requests. If a user with sufficient rights is tricked into accessing a crafted URL, an attacker may execute actions on their behalf, potentially resulting in remote code execution, data compromise, or full takeover of the XWiki instance.
CrowdSec has been tracking this vulnerability and its exploits since 20th of May 2025.
Data from the CrowdSec community indicates that exploitation of CVE-2023-46732 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2023-46732 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2023-46732 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.
Exploitation attempts are observed by targeting URLs containing /bin/view/main/ with maliciously crafted input.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.