The restricted mode of the HTML cleaner in XWiki Commons, designed to remove potentially harmful content from HTML, unfortunately only escaped <script> and <style> tags but not other dangerous HTML tags or attributes that could be used to inject scripts. Consequently, applications relying on this mode for security purposes are left vulnerable to cross-site scripting (XSS) attacks.
Fix and Resolution
To protect your XWiki instance from this vulnerability, it is highly recommended to upgrade to a version containing the fix, i.e., XWiki Commons version 14.6 RC1 or later. There are no known workarounds apart from upgrading to a version including the fix.
1. The official XWiki Commons website: XWiki Commons
2. XWiki 14.6 RC1 release notes: XWiki 14.6 RC1
3. CVE-2023-29201 details: CVE-2023-29201
Published on: 04/15/2023 15:15:00 UTC
Last modified on: 04/25/2023 18:26:00 UTC