CVE-2023-34464

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 2.2.1 through 14.4.7 XWiki Platform versions 14.4.8 through 14.10.4 XWiki Platform versions prior to 14.10.5 XWiki Platform versions prior to 15.1RC1

Description The issue is related to the lack of protection of the web page structure in XWiki Platform, allowing a remote attacker to introduce arbitrary information into a wiki project. Any user who can edit a document in a wiki can create a stored cross-site scripting attack by putting plain HTML code into that document and then tricking another user to visit that document with the displaycontent or rendercontent template and plain output syntax. If a user with programming rights is tricked into visiting such a URL, arbitrary actions can be performed with this user's rights, impacting the confidentiality, integrity, and availability of the whole XWiki installation.

Recommendations For XWiki Platform versions 2.2.1 through 14.4.7, update to version 14.4.8 or later. For XWiki Platform versions 14.4.8 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions prior to 14.10.5, update to version 14.10.5 or later. For XWiki Platform versions prior to 15.1RC1, update to version 15.1RC1 or later. As a temporary workaround, consider manually applying the patch to the rendercontent.vm template in an existing installation to patch this vulnerability without upgrading.