CVE-2023-36471

Name of the Vulnerable Software and Affected Versions XWiki versions 14.6RC1 through 14.10.5 XWiki versions prior to 15.2RC1

Description The issue arises from the HTML sanitizer in XWiki, which allowed form and input HTML tags since version 14.6RC1. This enables an attacker without script right to create forms for phishing attacks or add inputs that allow remote code execution when submitted by an admin. The attacker must ensure the edit form appears plausible, which can be challenging without script right.

Recommendations For XWiki versions 14.6RC1 through 14.10.5, upgrade to version 14.10.6. For XWiki versions prior to 15.2RC1, upgrade to version 15.2RC1. As a temporary workaround, an admin can manually disallow the tags by adding form, input, select, textarea, button to the configuration option xml.htmlElementSanitizer.forbidTags in the xwiki.properties configuration file.