Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

CVE-2023-32070

Summary

The XWiki Platform, a widely used generic wiki solution, contains a vulnerability in its HTML rendering mechanism prior to version 14.6-rc-1. This flaw allows attackers to inject malicious scripts into web pages through unsafe attributes and link URLs, facilitating Cross-Site Scripting (XSS) attacks. Users are encouraged to upgrade to the latest version, 14.6-rc-1 or later, to mitigate the risk. No known workarounds exist, thus immediate action is recommended to secure affected installations.

References