CVE-2023-35155

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.4 XWiki Platform versions prior to 15.0-rc-1

Description The issue is related to the XWiki Platform's failure to protect its web page structure, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. This can be achieved by forging a URL with a payload that injects JavaScript into the page. For example, the following URL can execute an action on the browser: /xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.

Recommendations For versions prior to 14.4.8, update to version 14.4.8 or later. For versions prior to 14.10.4, update to version 14.10.4 or later. For versions prior to 15.0-rc-1, update to version 15.0-rc-1 or later. As a temporary workaround, consider applying the patch available at https://github.com/xwiki/xwiki-platform/commit/ca88ebdefb2c9fa41490959cce9f9e62404799e7, which fixes the issue by impacting Velocity templates and page contents.