CVE-2023-35159

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.4-milestone-1 through 14.10.4 XWiki Platform versions 15.0 through 15.1-rc-1 (excluding 15.1-rc-1)

Description The XWiki Platform is vulnerable to a cross-site scripting (XSS) attack, allowing users to inject JavaScript into a page by forging a URL with a payload. This can be exploited using the deletespace template, for example, by using a URL such as "xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain)". The vulnerability exists since XWiki 3.4-milestone-1.

Recommendations For XWiki Platform versions 3.4-milestone-1 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.0 through 15.1-rc-1 (excluding 15.1-rc-1), update to version 15.1-rc-1 or later. As a temporary workaround, consider editing the template deletespace.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.