Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as: >
Remediation
References
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q9hg-9qj2-mxf9
https://github.com/xwiki/xwiki-platform/commit/9f01166b1a8ee9639666099eb5040302df067e4d
https://jira.xwiki.org/browse/XWIKI-20342
https://jira.xwiki.org/browse/XWIKI-20583
Related Vulnerabilities
CVE-2022-27166 Vulnerability in maven package org.apache.jspwiki:jspwiki-war
CVE-2022-45379 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2020-11996 Vulnerability in maven package org.apache.tomcat:tomcat-coyote
CVE-2023-29515 Vulnerability in maven package org.xwiki.platform:xwiki-platform-appwithinminutes-ui
CVE-2017-1000503 Vulnerability in maven package org.jenkins-ci.main:jenkins-core