CVE-2024-43400

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.21 XWiki Platform versions prior to 15.5.5 XWiki Platform versions prior to 15.10.6 XWiki Platform versions prior to 16.0.0

Description The issue allows a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript, which requires a social engineer to trick a user into following the URL.

Recommendations For versions prior to 14.10.21, update to version 14.10.21 or later. For versions prior to 15.5.5, update to version 15.5.5 or later. For versions prior to 15.10.6, update to version 15.10.6 or later. For versions prior to 16.0.0, update to version 16.0.0 or later. As a temporary workaround, consider restricting access to the xwiki-server>/xwiki/bin/view/ endpoint until a patch is available. Avoid using the test property in the object editor until the issue is resolved.