CVE-2023-37908

Name of the Vulnerable Software and Affected Versions XWiki versions 14.6-rc-1 through 14.10.3 XWiki versions prior to 15.0 RC1

Description The issue concerns the cleaning of attributes during XHTML rendering in XWiki, which allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute names. This can be exploited via the link syntax in any content that supports XWiki syntax, such as comments in XWiki. When a user moves the mouse over a malicious link, the malicious JavaScript code is executed in the context of the user session. If the user is a privileged user with programming rights, this allows server-side code execution with programming rights, impacting the confidentiality, integrity, and availability of the XWiki instance. The attribute was correctly recognized as not allowed but was still printed with a prefix data-xwiki-translated-attribute- without further cleaning or validation.

Recommendations For XWiki versions 14.6-rc-1 through 14.10.3, upgrade to XWiki 14.10.4 or later. For XWiki versions prior to 15.0 RC1, upgrade to 15.0 RC1 or later. As a temporary workaround, consider disabling the link syntax in XWiki syntax to minimize the risk of exploitation. Restrict access to privileged users with programming rights to reduce the impact of potential server-side code execution.