CVE-2023-31126

Name of the Vulnerable Software and Affected Versions org.xwiki.commons:xwiki-commons-xml versions 14.6-rc-1 through 14.10.3 org.xwiki.commons:xwiki-commons-xml versions prior to 15.0 RC1

Description The HTML sanitizer in the org.xwiki.commons:xwiki-commons-xml library allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This issue does not affect restricted cleaning in HTMLCleaner. The problem can be exploited, for example, via the link syntax in any content that supports XWiki syntax, allowing server-side code execution with programming rights when a privileged user is targeted. This impacts the confidentiality, integrity, and availability of the XWiki instance.

Recommendations For org.xwiki.commons:xwiki-commons-xml versions 14.6-rc-1 through 14.10.3, upgrade to version 14.10.4 or later. For org.xwiki.commons:xwiki-commons-xml versions prior to 15.0 RC1, upgrade to version 15.0 RC1 or later. As a temporary workaround, consider restricting the use of data attributes in HTML code until a patch is available.