XWiki Contrib Syntax Markdown Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in XWiki Contrib's Syntax Markdown extension, specifically in versions 8.2 prior to 8.9. The vulnerability allows users to inject JavaScript into Markdown content, which is then executed in the browsers of users viewing the affected document or comment. This issue is particularly concerning if the injected script is executed by a user with administrative or programming rights, as it could compromise the entire XWiki installation.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with the injected script running in the context of the user viewing the content. If executed by an admin or user with programming rights, it could lead to a complete compromise of the XWiki installation.

Reproduction

To reproduce this vulnerability, log into an XWiki instance with the CommonMark Markdown Syntax 1.2 extension installed, as a user without script rights. Edit a document and set the syntax to Markdown. Then, insert a script tag containing JavaScript code, such as an alert script, and save the document. Refresh the page to see the alert, indicating that the XSS payload was executed.

Remediation

Users can upgrade to XWiki Contrib Syntax Markdown version 8.9, where this vulnerability has been patched.