CVSS: 9.0EPSS: 2%CPEs: 4EXPL: 2CVE-2023-29202 – org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2023-29202
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter `content` was set to `true`. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting (XSS) by specifying an RSS feed with malicious content. With the interaction of a user with programming rights, this could be used to execute arbitrary acti... • https://github.com/xwiki/xwiki-platform/commit/5c7ebe47c2897e92d8f04fe2e15027e84dc3ec03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 4CVE-2023-29201 – org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2023-29201
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `