CVE-2023-32071

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 2.2-milestone-1 through 14.4.7 XWiki Platform versions 14.4.8 through 14.10.3 XWiki Platform versions 14.10.4 through 15.0-rc-1 (excluding 14.10.4 and 15.0-rc-1)

Description The issue allows execution of javascript with the right of any user by leading them to a special URL on the wiki targeting a page which contains an attachment. This can be exploited by adding an attachment to a page and then adding a specific query string to the page view URL, such as ?xpage=importinline&editor=%22%3E%3Cimg%20src%20onerror=alert(document.domain)%3E to execute arbitrary javascript code.

Recommendations For XWiki Platform versions 2.2-milestone-1 through 14.4.7, update to version 14.4.8 or later. For XWiki Platform versions 14.4.8 through 14.10.3, update to version 14.10.4 or later. For XWiki Platform versions prior to 15.0-rc-1 (excluding 14.10.4 and 15.0-rc-1), update to version 15.0-rc-1 or later. As a temporary workaround, edit the file <xwiki app>/templates/importinline.vm and apply the modification described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01.