XWiki Notification Displayer Class Object Vulnerability Leading to Cross-Site Scripting

A cross-site scripting (XSS) vulnerability exists in XWiki versions 15.9-rc-1 prior to 15.10.16, 16.0.0-rc-1 prior to 16.4.7, and 16.5.0-rc-1 prior to 16.10.2. The issue arises when a user without script rights creates a document containing an 'XWiki.Notifications.Code.NotificationDisplayerClass' object. If an admin later edits and saves that document, any potentially malicious content in the object is rendered as raw HTML, facilitating XSS attacks. Although the notification displayer processes Velocity code, an existing generic analyzer alerts admins before editing Velocity content. However, prior to XWiki 15.9, there were no such warnings for documents with hazardous properties, leaving a gap in security.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, first, log in as a user without script rights and create a document with an 'XWiki.Notifications.Code.NotificationDisplayerClass' object. Set the 'Event Type' to 'update' and the 'Notification Template' to include a script tag with JavaScript code, such as an alert. Next, log in as an admin and edit the document. After saving, the injected script will execute, demonstrating the XSS vulnerability.

Remediation

Users can update to XWiki versions 15.10.16, 16.4.7, or 16.10.2, where this vulnerability has been patched. Instructions for updating XWiki can be found in the XWiki documentation.