It is possible to persistently inject scripts in XWiki.
For unregistred users:
For registered users:
That can lead to user’s session hijacking, and if used in conjunction with a social engineering attack it can also lead to disclosure of sensitive data, CSRF attacks and other security vulnerabilities.
That can also lead to the attacker taking over an account.
If the victim has administrative rights it might even lead to code execution on the server, depending on the application and the privileges of the account.
It has been patched on XWiki 12.8 and 12.6.3.
There is no easy workaround except upgrading XWiki.
https://jira.xwiki.org/browse/XWIKI-17374
If you have any questions or comments about this advisory: