CVE-2022-29251

Name of the Vulnerable Software and Affected Versions XWiki Platform Flamingo Theme UI versions prior to 12.10.11 XWiki Platform Flamingo Theme UI versions prior to 13.4.7 XWiki Platform Flamingo Theme UI versions prior to 13.10.3 XWiki Platform Flamingo Theme UI version 14.0-rc-1 and earlier

Description A possible cross-site scripting vector is present in the FlamingoThemesCode.WebHomeSheet wiki page related to the newThemeName form field. This issue can be exploited, allowing for potential malicious activities.

Recommendations For versions prior to 12.10.11, update to version 12.10.11 or later. For versions prior to 13.4.7, update to version 13.4.7 or later. For versions prior to 13.10.3, update to version 13.10.3 or later. For version 14.0-rc-1 and earlier, update to a version later than 14.0-rc-1. As a temporary workaround, edit the wiki page FlamingoThemesCode.WebHomeSheet and change the line <input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" /> into <input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" />.