CVE-2023-29205

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 14.8RC1

Description The HTML macro in XWiki does not properly neutralize script-related HTML tags, allowing any user who can use the HTML macro to introduce an XSS attack. This is particularly dangerous in a standard wiki, where any user can use the HTML macro directly in their own user profile page.

Recommendations For versions prior to 14.8RC1, update to XWiki 14.8RC1 or later, which includes a patch that systematically cleans up the HTML macros whenever the user does not have the correct script rights. As a temporary workaround, consider restricting access to the HTML macro to minimize the risk of exploitation.