CVE-2021-29459: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it, was found to be vulnerable to persistent script injection in versions prior to 12.6.3 and 12.8. The vulnerability was discovered and disclosed on April 20, 2021. The issue affects both unregistered users who can exploit it through simple text fields, and registered users who can exploit it through personal information fields and static list values in App Within Minutes (GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 MEDIUM according to NVD, though GitHub rates it as CRITICAL with a score of 9.6. The vulnerability is tracked as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue stems from insufficient input validation and sanitization in various text input fields throughout the application (NVD).

The vulnerability can lead to multiple severe consequences including user session hijacking, sensitive data disclosure through social engineering attacks, CSRF attacks, and potential account takeover. If an attacker successfully compromises an administrative account, it could potentially lead to remote code execution on the server, depending on the application configuration and account privileges (GitHub Advisory).

The vulnerability has been patched in XWiki versions 12.8 and 12.6.3. According to the security advisory, there is no easy workaround except upgrading to these patched versions (GitHub Advisory).