CVE-2024-41947
XWiki Platform vulnerable to Cross-Site Scripting (XSS) through conflict resolution
Description
### Impact By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a XWiki instance, a user with admin rights needs to edit a document without saving right away. Then, as another user without any other right than edit on the specific document, change the whole content to `<script>alert('XSS')</script>`. When the admin user then saves the document, a conflict popup appears. If they select "Fix each conflict individually" and see an alert displaying "XSS", then the instance is vulnerable. ### Patches This has been patched in XWiki 15.10.8 and 16.3.0RC1. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-21626 * https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)
How to fix CVE-2024-41947
To remediate CVE-2024-41947, upgrade the affected package to a fixed version below.
- —upgrade to 15.10.8 or later
Is CVE-2024-41947 being exploited?
Moderate — EPSS is 13.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 11.8-rc-1, < 15.10.8