Thomas Delafosse

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.6-rc-1 **Description** The issue concerns HTML rendering not checking for dangerous attributes or attribute values, allowing cross-site scripting (XSS) attacks via attributes and link URLs in XWiki syntax. **Recommendations** For versions prior to 14.6-rc-1, upgrade to version 14.6-rc-1 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTML rendering until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** XWiki Commons versions 4.2-milestone-1 through 14.6 RC1 **Description** The "restricted" mode of the HTML cleaner in XWiki only escaped `<script>` and `<style>`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `<iframe>`. This allows for JavaScript injection, also known as cross-site scripting (XSS), when a privileged user with programming rights visits a comment in XWiki containing malicious JavaScript code. The code is executed in the context of the user session, impacting the confidentiality, integrity, and availability of the XWiki instance. **Recommendations** For XWiki Commons versions 4.2-milestone-1 through 14.6 RC1, upgrade to XWiki 14.6 RC1 or later, which includes a patch with a filter that allows only specific HTML elements and attributes in restricted mode. As a temporary workaround, consider disabling the HTML macro that filters HTML using restricted mode until a patch is available. Restrict access to comments and other areas where the HTML macro is used to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 14.9-rc-1 **Description** The issue arises from the lack of checks on the author of a JavaScript xobject or StyleSheet xobject added to a XWiki document. This allowed a user with only Edit Right to create such an object and craft a script that could perform certain operations when executed by a user with appropriate rights. **Recommendations** For versions prior to 14.9-rc-1, update to XWiki 14.9-rc-1 or later, which patches the issue by only executing the script if the author of it has Script rights. As a temporary workaround, consider applying the patch and rebuilding and redeploying `xwiki-platform-skin-skinx`.