XWiki Platform Flamingo Skin Resources and Web Templates Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in XWiki Platform versions 6.2-milestone-1 through 16.10.9, as well as 17.0.0-rc-1 through 17.4.1. This vulnerability exists within both the XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates. The issue arises when an attacker injects a script into a deletion confirmation message, which is executed if the victim clicks the 'No' button. Notably, if the victim has admin or programming rights, this could lead to remote code execution on the XWiki installation.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, with the potential for remote code execution if the victim has administrative or programming rights on the XWiki installation.

Reproduction

To reproduce this vulnerability, navigate to the 'DeleteApplication' feature within XWiki. When prompted with the deletion confirmation, the injected script will execute if the 'No' button is clicked. This can be demonstrated by including a script payload in the 'xredirect' parameter of the deletion confirmation URL.

Remediation

Users can update to XWiki Platform versions 16.10.10 or 17.4.2 to address this vulnerability. For version 17.5.0, the same patch applies. The patch can also be manually applied to the templates in the WAR file, followed by a restart of XWiki.