CVE-2021-29459

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 12.6.3 XWiki Platform versions prior to 12.8

Description: The issue allows for persistent script injection. Unregistered users can inject scripts by filling simple text fields. Registered users can inject scripts by filling their personal information and, if they have edit rights, by filling the values of static lists using App Within Minutes. This can lead to user session hijacking, disclosure of sensitive data, CSRF attacks, and other security issues. It can also lead to account takeover. If the victim has administrative rights, it might lead to code execution on the server, depending on the application and account privileges.

Recommendations: For XWiki Platform versions prior to 12.6.3, upgrade to version 12.6.3 or later. For XWiki Platform versions prior to 12.8, upgrade to version 12.8 or later. As a temporary workaround, consider restricting access to simple text fields and App Within Minutes for unregistered and registered users until an upgrade is possible. Restrict users' edit rights to minimize the risk of exploitation.