CVE-2023-35158

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 9.4-rc-1 through 14.10.4 XWiki Platform versions 15.0 through 15.1-rc-0

Description The issue allows users to forge a URL with a payload that injects Javascript into the page, enabling cross-site scripting (XSS). This can be exploited by using a URL such as "/xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain)" to perform a XSS attack. The vulnerability exists due to the lack of measures to neutralize alternative XSS syntax.

Recommendations For XWiki Platform versions 9.4-rc-1 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.0 through 15.1-rc-0, update to version 15.1-rc-1 or later. As a temporary workaround, consider editing the template restore.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.