XWiki Blog Application Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the XWiki blog application, affecting versions prior to 9.15.7. The issue arises because blog post titles are injected directly into the HTML <title> tag without proper escaping. This allows an attacker with permission to create or edit posts to inject malicious JavaScript into the title, which is then executed in the browser of any user who views the post, potentially leading to session hijacking or privilege escalation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the blog post.

Reproduction

To reproduce this vulnerability, log in as a user with rights to create blog posts. Create a new post and in the Title field, insert a payload designed to break out of the title tag, such as a script tag including JavaScript. After publishing the post, view it on the blog home page, where the injected script will execute.

Remediation

Users can update to XWiki Blog Application version 9.15.7 or later, where this vulnerability has been patched by adding the necessary escaping to prevent script injection.