CVE-2023-35161

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 6.2-milestone-1 through 14.10.4 XWiki Platform versions 15.1-rc-1 and earlier

Description The issue allows users to forge a URL with a payload that injects Javascript into the page, enabling a cross-site scripting (XSS) attack. This can be exploited using the DeleteApplication page. For example, a URL such as "xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain)" can be used. The vulnerability exists due to the lack of measures to neutralize alternative XSS syntax.

Recommendations For XWiki Platform versions 6.2-milestone-1 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.1-rc-1 and earlier, update to version 15.1 or later. As a temporary workaround, consider editing the page AppWithinMinutes.DeleteApplication to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.