Lucaswitvoet

**Name of the Vulnerable Software and Affected Versions** com.xwiki.identity-oauth:identity-oauth-ui versions prior to 1.6 **Description** The issue is related to the lack of protection of the web page structure, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. When a user logs in via the OAuth method, the `identityOAuth` parameters sent in the GET request are vulnerable to XSS and XWiki syntax injection, enabling remote code execution via the `groovy` macro. This affects the confidentiality, integrity, and availability of the whole XWiki installation. **Recommendations** For versions prior to 1.6, upgrade to Identity OAuth version 1.6 to fix the issue. As a temporary workaround, consider restricting access to the `groovy` macro to minimize the risk of exploitation. There are no known workarounds besides upgrading.