XWiki Platform Clickjacking Vulnerability via CSS Injection in Comments

A clickjacking vulnerability has been identified in XWiki Platform versions prior to 17.9.0, 17.4.6, and 16.10.13. This issue allows users to inject CSS through comments, which can then be used to manipulate the appearance of the wiki, creating a deceptive link area that directs to a malicious page. All XWiki versions are susceptible to this type of attack.

Impact

Exploitation of this vulnerability could lead to clickjacking, where a user is tricked into interacting with a page element that is different from what they perceive.

Remediation

Users can update to XWiki Platform versions 17.9.0, 17.4.6, or 16.10.13 to address this vulnerability. For those unable to update, it may be possible to implement a partial workaround using the JavaScript code available in the XWiki 17.9.0 release, which can be reused in a JSX object within the wiki to request confirmation before clicking on links to untrusted domains.