CVE-2023-26480

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 12.10 through 14.4.6 XWiki Platform versions 13.10.9 and earlier XWiki Platform version 14.9 is not affected, but versions prior to 14.9 are vulnerable, however since 14.4.7 is a fixed version, we consider versions prior to 14.4.7 as vulnerable.

Description A user without script rights can introduce a stored cross-site scripting by using the liveData macro. For instance, an attacker can inject malicious code in the description field, which is displayed as HTML. The estimated number of potentially affected devices is not provided. There are no known real-world incidents where this issue was exploited.

Recommendations For XWiki Platform versions 12.10 through 14.4.6, update to version 14.4.7 or later. For XWiki Platform versions 13.10.9 and earlier, update to version 13.10.10 or later. As a temporary workaround, consider disabling the liveData macro until a patch is available. Restrict access to the liveData macro to minimize the risk of exploitation. Avoid using the description field in the liveData macro until the issue is resolved.