GHSA-692v-783f-mg8x
GitHub Security Advisory
XWiki Platform vulnerable to Cross-Site Scripting (XSS) through conflict resolution
Advisory Details
### Impact
By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on a XWiki instance, a user with admin rights needs to edit a document without saving right away.
Then, as another user without any other right than edit on the specific document, change the whole content to `<script>alert('XSS')</script>`.
When the admin user then saves the document, a conflict popup appears. If they select "Fix each conflict individually" and see an alert displaying "XSS", then the instance is vulnerable.
### Patches
This has been patched in XWiki 15.10.8 and 16.3.0RC1.
### Workarounds
We're not aware of any workaround except upgrading.
### References
* https://jira.xwiki.org/browse/XWIKI-21626
* https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.