CVE-2023-36471: 
Java vulnerability analysis and mitigation

The CVE-2023-36471 vulnerability affects XWiki commons, the common modules used by other XWiki top-level projects. The vulnerability was discovered in the HTML sanitizer component introduced in version 14.6RC1 and was patched in versions 14.10.6 and 15.2RC1. The vulnerability allowed unauthorized users to exploit form and input HTML tags, potentially leading to phishing attacks or remote code execution (GitHub Advisory).

The vulnerability stems from the HTML sanitizer's permissive handling of form-related HTML tags. The sanitizer allowed form and input HTML tags in contexts where they should have been restricted. The vulnerability has a CVSS v3.1 base score of 9.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) according to GitHub's assessment, while NIST rates it as 5.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD).

The vulnerability enables two primary attack scenarios: First, attackers without script privileges can create forms for phishing attacks. Second, in the context of a sheet, attackers could add malicious input using the {{html}}{{/html}} syntax that could lead to remote code execution when submitted by an administrator. While the attack requires social engineering to appear plausible, it poses significant risks especially when targeting administrative users (Jira Issue).

The vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1 by removing the central form-related tags from the list of allowed tags. As a workaround, administrators can manually disallow the tags by adding 'form, input, select, textarea, button' to the configuration option 'xml.htmlElementSanitizer.forbidTags' in the xwiki.properties configuration file (GitHub Advisory, GitHub Patch).