CVE-2023-35156

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 6.0-rc-1 through 14.10.5 XWiki Platform version 14.10.6 XWiki Platform version 15.1

Description The issue allows users to forge a URL with a payload to inject Javascript in the page, enabling a cross-site scripting (XSS) attack. This can be exploited by using a URL such as "xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain)" to perform a XSS attack. The vulnerability exists since XWiki 6.0-rc-1.

Recommendations For XWiki Platform versions 6.0-rc-1 through 14.10.5, update to version 14.10.6 or 15.1 to resolve the issue. For XWiki Platform version 14.10.5, note that the partial patch provided is not enough to entirely fix the vulnerability, so updating to version 14.10.6 or 15.1 is recommended. As a temporary workaround, consider editing the template delete.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.