CVE-2023-45144

Name of the Vulnerable Software and Affected Versions com.xwiki.identity-oauth:identity-oauth-ui versions prior to 1.6

Description The issue is related to the lack of protection of the web page structure, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request are vulnerable to XSS and XWiki syntax injection, enabling remote code execution via the groovy macro. This affects the confidentiality, integrity, and availability of the whole XWiki installation.

Recommendations For versions prior to 1.6, upgrade to Identity OAuth version 1.6 to fix the issue. As a temporary workaround, consider restricting access to the groovy macro to minimize the risk of exploitation. There are no known workarounds besides upgrading.