HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml
CVE-2023-36471
Summary
XWiki Commons contains a vulnerability in its HTML sanitizer that permits unauthorized users to introduce HTML form elements, potentially leading to phishing attacks and remote code execution. This issue arises from the improper handling of form-related HTML tags, allowing attackers to craft malicious inputs that may be executed by an unsuspecting administrator. Although this vulnerability is mitigated in versions 14.10.6 and 15.2RC1, users are strongly encouraged to upgrade or manually adjust the configuration to prevent exploitation by prohibiting the use of specific HTML elements.
Affected Version(s)
xwiki-commons >= 14.6-rc-1, < 14.10.6 < 14.6-rc-1, 14.10.6
xwiki-commons >= 15.0-rc-1, < 15.2-rc-1 < 15.0-rc-1, 15.2-rc-1
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved