CVE-2023-29205: 
Java vulnerability analysis and mitigation

XWiki Commons, a collection of technical libraries common to several XWiki projects, was found to contain a cross-site scripting (XSS) vulnerability identified as CVE-2023-29205. The vulnerability was discovered in the HTML macro functionality, which failed to properly neutralize script-related HTML tags. This security issue affects versions up to (including) 14.7, and was patched in XWiki 14.8RC1 (GitHub Advisory, NVD).

The vulnerability stems from insufficient sanitization of HTML content in the HTML macro. When users without script rights use the HTML macro, the system fails to properly clean up and neutralize script-related HTML tags. The severity of this vulnerability is rated as CRITICAL with a CVSS v3.1 base score of 9.9, indicating a high-impact security issue. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (GitHub Advisory).

The vulnerability allows any user with access to the HTML macro to introduce XSS attacks. This is particularly concerning in standard wiki installations where users can use the HTML macro in their own user profile pages. A successful exploit could lead to unauthorized script execution in the context of other users' sessions, potentially compromising the confidentiality, integrity, and availability of the system (GitHub Advisory).

The vulnerability has been patched in XWiki 14.8RC1. The fix ensures that HTML macros are systematically cleaned up when used by users without script rights. No workarounds are available for this issue, making it critical for affected installations to upgrade to the patched version (GitHub Advisory).