CVE-2023-29508: 
Java vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was identified in XWiki Commons (CVE-2023-29508), affecting versions prior to 13.10.11, 14.4.7, and 14.10. The vulnerability allows users without script rights to introduce a stored XSS attack by utilizing the Live Data macro, specifically when the last author of the page content has script rights (GitHub Advisory, XWiki Jira).

The vulnerability exists in the Live Data macro functionality where a user without script privileges can inject malicious HTML content through the HTML displayer feature. The CVSS v3.1 base score is 8.9 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L, indicating network vector attack with low complexity, requiring low privileges and user interaction (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers, potentially leading to session hijacking, data theft, or other malicious actions. The impact is particularly severe when the last author of the content has script rights, as it allows privilege escalation through the stored XSS attack (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10, 14.4.7, and 13.10.11. Users are strongly advised to upgrade to these or later versions. No known workarounds are available for unpatched systems (GitHub Advisory).