CVE-2023-40176

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 4.1M2 through 14.10.4 XWiki Platform versions prior to 14.10.5 and 15.1RC1

Description The issue is related to a stored XSS vulnerability that can be exploited by any registered user through their user profile by setting the payload as the value of the time zone user preference. This can be done using JavaScript or by calling the save URL on the user profile with the right query string. Once the time zone is set, it is displayed without escaping, allowing the payload to be executed for any user that visits the malicious user profile. This enables the attacker to steal information and gain more access rights.

Recommendations For XWiki Platform versions 4.1M2 through 14.10.4, edit the displayer timezone.vm file and escape the displayed time zone value by replacing $!value with $!escapetool.xml($value). For XWiki Platform versions prior to 14.10.5 and 15.1RC1, update to version 14.10.5 or 15.1RC1 to fix the issue. As a temporary workaround, consider restricting access to the user profile feature until a patch is applied.