CVE-2023-35160

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 2.5-milestone-2 through 14.10.4 XWiki Platform versions 15.0 through 15.1-rc-1 (excluding 15.1-rc-1)

Description The issue allows users to forge a URL with a payload that injects Javascript into the page, enabling cross-site scripting (XSS) attacks. This can be exploited by using a URL such as "xwiki/bin/view/XWiki/Main?xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain)" to perform a XSS attack. The vulnerability exists due to inadequate protection of the web page structure.

Recommendations For XWiki Platform versions 2.5-milestone-2 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.0 through 15.1-rc-1 (excluding 15.1-rc-1), update to version 15.1-rc-1 or later. As a temporary workaround, consider editing the template resubmit.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.