CVE-2023-35153

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 5.4.4 through 14.4.7 XWiki Platform versions 14.4.8 is not affected, but versions prior to 14.4.8 are affected, the same applies to versions 14.10.4 and 15.0

Description A stored cross-site scripting issue can be exploited by users with edit rights by adding a AppWithinMinutes.FormFieldCategoryClass class on a page and setting the payload on the page title. Then, any user visiting "/xwiki/bin/view/AppWithinMinutes/ClassEditSheet" executes the payload.

Recommendations For XWiki Platform versions 5.4.4 through 14.4.7, update to version 14.4.8 or later to resolve the issue. For XWiki Platform versions prior to 14.10.4, update to version 14.10.4 or later to resolve the issue. For XWiki Platform versions prior to 15.0, update to version 15.0 or later to resolve the issue. As a temporary workaround, consider updating AppWithinMinutes.ClassEditSheet with the provided patch.