CVE-2023-32070: 
Java vulnerability analysis and mitigation

CVE-2023-32070 affects XWiki Platform, a generic wiki platform, prior to version 14.6-rc-1. The vulnerability was discovered and disclosed on May 10, 2023. The issue involves HTML rendering not properly checking for dangerous attributes and attribute values (GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically related to improper neutralization of script in attributes in XWiki (X)HTML renderers. The CVSS v3.1 scores vary between sources: NIST rates it as 6.1 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), while GitHub rates it as 9.0 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) (NVD).

The vulnerability allows attackers to perform cross-site scripting (XSS) attacks through attributes and link URLs that are supported in XWiki syntax. This could potentially lead to unauthorized access to sensitive data, modification of content, and execution of malicious scripts in the context of the user's browser (GitHub Advisory).

The vulnerability has been patched in XWiki version 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version (GitHub Advisory).