Pierrick Vuillemin

**Name of the Vulnerable Software and Affected Versions** XWiki (affected versions not specified) **Description** The issue allows an attacker to upload an SVG file containing a script that is executed when the download action is performed on the file, due to the default XWiki configuration. This can be exploited when using the default configuration. **Recommendations** Update the configuration to prevent displaying SVG files in the browser. As a temporary workaround, consider setting the configuration to download or display files properly to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 12.10.5 XWiki Platform versions 13.0 through 13.1 **Description** A cross-site request forgery issue exists, allowing an attacker to forge a URL that, when accessed by an admin, will reset the password of any user in XWiki. **Recommendations** For versions prior to 12.10.5, update to version 12.10.5 or later. For versions 13.0 through 13.1, update to version 13.2RC1 or later. As a temporary workaround, consider applying the patch manually by modifying the `register macros.vm` template.