CVE-2023-37908: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2023-37908) affects XWiki Rendering's XHTML rendering functionality, introduced in version 14.6-rc-1 and patched in versions 14.10.4 and 15.0 RC1. The vulnerability allows for the injection of arbitrary HTML code and cross-site scripting (XSS) through invalid attribute names in the XHTML rendering process (GitHub Advisory).

The vulnerability stems from improper validation of attributes during XHTML rendering. While invalid attributes were correctly identified as not allowed, they were still printed with a prefix 'data-xwiki-translated-attribute-' without proper cleaning or validation. This could be exploited through the link syntax in any content supporting XWiki syntax, such as comments. The vulnerability has a CVSS v3.1 base score of 9.6 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) (NVD).

When exploited, the vulnerability allows attackers to execute malicious JavaScript code in the context of the user session when a user interacts with the compromised content (e.g., hovering over a malicious link). If the affected user has programming rights, the attack can lead to server-side code execution with programming privileges, potentially compromising the confidentiality, integrity, and availability of the XWiki instance (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.4 and 15.0 RC1. The fix involves removing characters not allowed in data attributes and implementing additional validation of the cleaned attributes. There are no known workarounds apart from upgrading to a version that includes the fix (GitHub Advisory).