CVE-2023-35160: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a Cross-Site Scripting (XSS) vulnerability (CVE-2023-35160). The vulnerability, which existed since XWiki 2.5-milestone-2, allowed users to forge URLs with payloads that could inject JavaScript into pages. The issue was discovered by René de Sain (@renniepak) and was patched in XWiki versions 14.10.5 and 15.1-rc-1 (GitHub Advisory).

The vulnerability allowed attackers to exploit the resubmit template to perform XSS attacks by crafting specific URLs. For example, an attacker could use a URL pattern like 'xwiki/bin/view/XWiki/Main?xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain)' to execute malicious JavaScript code. The vulnerability received a CVSS v3.1 base score of 9.6 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) according to GitHub's assessment (NVD).

The vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could potentially lead to full compromise of the user's session, allowing attackers to perform any actions within the application that the user could perform, view any information accessible to the user, and modify any information that the user had permission to modify (GitHub Advisory).

The vulnerability was officially patched in XWiki versions 14.10.5 and 15.1-rc-1. While it was possible to work around the vulnerability by editing the resubmit.vm template to perform checks, the proper fix involved new APIs that were recently introduced in XWiki. Users were recommended to upgrade to the patched versions (GitHub Advisory).