CVE-2012-1019

Name of the Vulnerable Software and Affected Versions XWiki Enterprise version 3.4

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the XWiki.XWikiComments comment parameter to "xwiki/bin/commentadd/Main/WebHome", the XWiki.XWikiUsers 0 company parameter when editing a user profile, or the projectVersion parameter to "xwiki/bin/view/DownloadCode/DownloadFeedback".

Recommendations For XWiki Enterprise version 3.4, consider disabling the comment addition feature and restrict user profile editing until a patch is available. Avoid using the XWiki.XWikiComments comment and XWiki.XWikiUsers 0 company parameters in the affected API endpoints, and restrict access to the "xwiki/bin/view/DownloadCode/DownloadFeedback" endpoint to minimize the risk of exploitation.