CVE-2023-45136

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 12.0-rc-1 through 12.10.11 XWiki Platform versions 15.5-rc-1 and prior

Description The XWiki Platform is vulnerable to a reflected cross-site scripting attack in the page creation form when document names are validated according to a name strategy. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link, potentially leading to remote code execution and full read and write access to the whole XWiki installation. The issue can be reproduced by opening a malicious link, such as <xwiki-host>/xwiki/bin/create/Main/%3Cscript%3Ealert%28%27Test%20Test%20Test%20Test%20Test%27%29%3C%2Fscript%3E, where <xwiki-host> is the URL of the XWiki installation.

Recommendations For XWiki Platform versions 12.0-rc-1 through 12.10.11, update to version 12.10.12 or later. For XWiki Platform versions 15.5-rc-1 and prior, update to version 15.5-rc-1 or later. As a temporary workaround, consider disabling the createinline.vm template file or manually applying the changes from the fix to patch the vulnerable file. Restrict access to the page creation form to minimize the risk of exploitation.