CVE-2023-29201

Name of the Vulnerable Software and Affected Versions XWiki Commons versions 4.2-milestone-1 through 14.6 RC1

Description The "restricted" mode of the HTML cleaner in XWiki only escaped <script> and <style>-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like <iframe>. This allows for JavaScript injection, also known as cross-site scripting (XSS), when a privileged user with programming rights visits a comment in XWiki containing malicious JavaScript code. The code is executed in the context of the user session, impacting the confidentiality, integrity, and availability of the XWiki instance.

Recommendations For XWiki Commons versions 4.2-milestone-1 through 14.6 RC1, upgrade to XWiki 14.6 RC1 or later, which includes a patch with a filter that allows only specific HTML elements and attributes in restricted mode. As a temporary workaround, consider disabling the HTML macro that filters HTML using restricted mode until a patch is available. Restrict access to comments and other areas where the HTML macro is used to minimize the risk of exploitation.