CVE-2023-29528

Name of the Vulnerable Software and Affected Versions XWiki versions 4.2-milestone-1 through 14.10

Description The issue concerns the "restricted" mode of the HTML cleaner in XWiki, which allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. This vulnerability enables server-side code execution with programming rights, impacting the confidentiality, integrity, and availability of the XWiki instance. When a privileged user with programming rights visits a malicious comment, the JavaScript code is executed in the context of the user session.

Recommendations For versions prior to 14.10, upgrade to XWiki 14.10 or later, as it includes the fix where HTML comments are removed in restricted mode and a check is introduced to ensure comments don't start with >. At the moment, there is no other information about additional workarounds apart from upgrading to a version including the fix.