CVE-2024-41947

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 15.10.8 XWiki Platform versions prior to 16.3.0RC1

Description The issue allows an attacker to execute JavaScript snippets on the side of another user, compromising the confidentiality, integrity, and availability of the whole XWiki installation. This can be achieved by creating a conflict when another user with more rights is currently editing a page. The estimated number of potentially affected devices is not specified.

To exploit this issue, a user with admin rights needs to edit a document without saving right away. Then, as another user without any other right than edit on the specific document, change the whole content to <script>alert('XSS')</script>. When the admin user then saves the document, a conflict popup appears. If they select "Fix each conflict individually" and see an alert displaying "XSS", then the instance is vulnerable.

Recommendations For XWiki Platform versions prior to 15.10.8, update to version 15.10.8 or later. For XWiki Platform versions prior to 16.3.0RC1, update to version 16.3.0RC1 or later. As a temporary workaround, consider restricting the ability to create conflicts when editing pages, until a patch is applied.