CVE-2023-29207

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 13.10.10 XWiki versions prior to 14.4.6 XWiki versions prior to 14.9

Description The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This issue was also exploitable via the Documents Macro that is included since XWiki 3.5M1 and doesn't require script rights, demonstrated with the syntax {{documents id="example" count="5" actions="false" columns="doc.title, before<script>alert(1)</script>after"/}}. Therefore, this can also be exploited by users without script rights and in comments. With the interaction of a user with more rights, this could be used to execute arbitrary actions in the wiki, including privilege escalation, remote code execution, information disclosure, modifying or deleting content.

Recommendations For XWiki versions prior to 13.10.10, update to version 13.10.10 or later. For XWiki versions prior to 14.4.6, update to version 14.4.6 or later. For XWiki versions prior to 14.9, update to version 14.9 or later. As a temporary workaround, consider applying the patch to existing installations without upgrading by replacing the files skins/flamingo/macros.vm and templates/macros.vm in the web application directory with patched versions.