Vulnerabilities > CVE-2023-29201 - Unspecified vulnerability in Xwiki
Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `<script>` and `<style>`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `<iframe>`. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode. There are no known workarounds apart from upgrading to a version including the fix.
Vulnerable Configurations
References
- https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2
- https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j
- https://jira.xwiki.org/browse/XCOMMONS-1680
- https://jira.xwiki.org/browse/XCOMMONS-2426
- https://jira.xwiki.org/browse/XWIKI-9118
- https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2
- https://jira.xwiki.org/browse/XWIKI-9118
- https://jira.xwiki.org/browse/XCOMMONS-2426
- https://jira.xwiki.org/browse/XCOMMONS-1680
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j
- https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182