Stuart Walker

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 14.8RC1 **Description** The HTML macro in XWiki does not properly neutralize script-related HTML tags, allowing any user who can use the HTML macro to introduce an XSS attack. This is particularly dangerous in a standard wiki, where any user can use the HTML macro directly in their own user profile page. **Recommendations** For versions prior to 14.8RC1, update to XWiki 14.8RC1 or later, which includes a patch that systematically cleans up the HTML macros whenever the user does not have the correct script rights. As a temporary workaround, consider restricting access to the HTML macro to minimize the risk of exploitation.