CVE-2020-13654

HIGH LAB

XWiki Platform <12.8 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-13654. PoCs published by Astaruf.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-13654, demonstrating a stored XSS vulnerability in XWiki Platform < 12.8 that can be chained with CSRF to achieve privilege escalation. The PoC includes a Python script that automates the attack, from account registration to payload injection and privilege escalation.

Description

XWiki Platform before 12.8 mishandles escaping in the property displayer.

Exploits (1)

nomisec WORKING POC
by Astaruf · poc
https://github.com/Astaruf/CVE-2020-13654

This repository contains a functional exploit for CVE-2020-13654, demonstrating a stored XSS vulnerability in XWiki Platform < 12.8 that can be chained with CSRF to achieve privilege escalation. The PoC includes a Python script that automates the attack, from account registration to payload injection and privilege escalation.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: XWiki Platform < 12.8
Auth required
Prerequisites: XWiki Platform < 12.8 · Authenticated attacker account (or open registration) · Administrator to visit the poisoned profile page
devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.0010
EPSS Percentile 26.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull xwiki:11.10.5-postgres-tomcat

Details

CWE
CWE-116
Status published
Products (2)
org.xwiki.platform/xwiki-platform-web 0 - 12.8Maven
xwiki/xwiki < 12.8
Published Dec 31, 2020
Tracked Since Feb 18, 2026