CVE-2023-40176: 
Java vulnerability analysis and mitigation

CVE-2023-40176 is a stored Cross-Site Scripting (XSS) vulnerability in XWiki Platform, discovered in August 2023. The vulnerability affects versions from 4.1M2 up to versions before 14.10.5 and 15.1RC1. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it (GitHub Advisory, NVD).

The vulnerability exists in the timezone user preference functionality of XWiki Platform. While the timezone selection is typically restricted to a dropdown menu, attackers can bypass this restriction using JavaScript through browser developer tools or by directly calling the save URL on the user profile with a crafted query string. The vulnerability stems from insufficient output escaping in the timezone displayer component, where the timezone value is displayed without proper sanitization (GitHub Advisory). The CVSS v3.1 base score is 9.0 CRITICAL according to GitHub's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users who visit the malicious user profile. This can lead to information theft and potential privilege escalation, including the ability to gain programming rights. The attack can affect any user viewing the compromised profile (GitHub Advisory).

The vulnerability has been fixed in XWiki versions 14.10.5 and 15.1RC1. The fix involves properly escaping the timezone value display using the $escapetool.xml() function in the displayer_timezone.vm template. For older unpatched versions, administrators can manually edit the displayer_timezone.vm file to implement the same escaping mechanism by replacing $!value with $!escapetool.xml($value) (GitHub Advisory).