CVE-2023-45137: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, contains a cross-site scripting (XSS) vulnerability identified as CVE-2023-45137. The vulnerability affects org.xwiki.platform:xwiki-platform-web starting from version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.12 and 15.5-rc-1. The vulnerability was discovered and disclosed on October 25, 2023 (GitHub Advisory).

The vulnerability stems from missing escaping in the error message displayed when attempting to create a document that already exists. This allows for raw HTML injection and consequently cross-site scripting. The attack vector requires the document reference of the existing document to contain malicious code. The vulnerability has been assigned a CVSS v3.1 base score of 9.0 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

When successfully exploited, this vulnerability allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link. Depending on the user's privileges, this could lead to remote code execution and full read and write access to the entire XWiki installation (GitHub Advisory).

The vulnerability has been patched in org.xwiki.platform:xwiki-platform-web version 13.4-rc-1 and org.xwiki.platform:xwiki-platform-web-templates versions 14.10.12 and 15.5-rc-1 by adding appropriate escaping. For users unable to upgrade immediately, a manual workaround is available by patching the vulnerable template file createinline.vm with the changes from the fix (GitHub Advisory).