CVE-2023-29016: 
Java vulnerability analysis and mitigation

The Goobi viewer, a web application for displaying digitized material in web browsers, was found to contain a cross-site scripting (XSS) vulnerability in versions prior to 23.03. The vulnerability was discovered in March 2023 and assigned CVE-2023-29016. The issue specifically affects the nickname functionality in the Goobi viewer core component (GitHub Advisory).

The vulnerability stems from insufficient input validation and sanitization of user nicknames. When displaying nicknames on certain pages, the application failed to properly escape HTML characters, allowing malicious scripts to be executed in users' browsers. The issue has a CVSS v3.1 base score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

An attacker could exploit this vulnerability by creating a user account and inserting malicious scripts into their profile's nickname field. When other users view pages displaying this nickname, the malicious script would execute in their browsers, potentially leading to session hijacking, data theft, or other client-side attacks (GitHub Advisory).

The vulnerability has been fixed in Goobi viewer core version 23.03. The fix includes adding proper input validation through a new nickname validator and implementing HTML escaping when displaying existing values (GitHub Patch).