CVE-2022-29251: 
Java vulnerability analysis and mitigation

XWiki Platform Flamingo Theme UI contained a Cross-Site Scripting (XSS) vulnerability identified as CVE-2022-29251. The vulnerability was discovered in versions 6.3-rc-1 and above, and 6.2.4 and above, where the 'newThemeName' form field in the FlamingoThemesCode.WebHomeSheet wiki page was not properly escaped, allowing for potential XSS attacks. The issue was patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3 (GitHub Advisory).

The vulnerability existed in the FlamingoThemesCode.WebHomeSheet wiki page where the 'newThemeName' form field parameter was inserted without proper XML escaping. The attack vector involved passing malicious content through the newThemeName URL parameter, which would then be reflected in the form without sanitization. The vulnerability has a CVSS v3.1 base score of 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N), indicating moderate severity (GitHub Advisory).

The vulnerability could allow an attacker to execute arbitrary web scripts or HTML in the context of the user's browser session, potentially leading to theft of sensitive information or session hijacking. The CVSS metrics indicate high confidentiality impact, though integrity and availability were not affected (GitHub Advisory).

The vulnerability was fixed by implementing proper XML escaping for the newThemeName parameter. As a workaround before applying the patch, users could manually edit the FlamingoThemesCode.WebHomeSheet wiki page to add proper escaping. The fix was implemented in commit bd935320bee3c27cf7548351b1d0f935f116d437 (GitHub Commit).