CVE-2023-46732

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.14 XWiki Platform versions prior to 15.5.1 XWiki Platform versions prior to 15.6 RC1

Description The issue is related to reflected cross-site scripting (RXSS) via the rev parameter used in the content of the content menu without escaping. An attacker can exploit this by convincing a user to visit a link with a crafted parameter, allowing the execution of arbitrary actions in the name of the user. This includes remote code (Groovy) execution in the case of a user with programming rights, compromising the confidentiality, integrity, and availability of the whole XWiki installation.

Recommendations For versions prior to 14.10.14, upgrade to version 14.10.14 or later. For versions prior to 15.5.1, upgrade to version 15.5.1 or later. For versions prior to 15.6 RC1, upgrade to version 15.6 RC1 or later. As a temporary workaround, consider manually applying the patch in commit 04e325d57 without upgrading or restarting the instance. Avoid using the rev parameter in the content of the content menu until the issue is resolved.