CVE-2024-41947: 
Java vulnerability analysis and mitigation

CVE-2024-41947 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered and disclosed on July 31, 2024, affecting versions from 11.8-rc-1 to 15.10.8 and 16.0.0-rc-1 to 16.3.0-rc-1. The issue has been patched in XWiki versions 15.10.8 and 16.3.0RC1 (GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, identified as CWE-79 and CWE-80. It received a CVSS v3.1 base score of 9.0 CRITICAL from GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, while NIST assigned a CVSS score of 5.4 MEDIUM (NVD).

The vulnerability compromises the confidentiality, integrity, and availability of the entire XWiki installation. When exploited, it allows attackers to execute JavaScript snippets on the side of users with elevated privileges, potentially leading to unauthorized access and system compromise (GitHub Advisory).

The vulnerability has been patched in XWiki versions 15.10.8 and 16.3.0RC1. No workarounds are available except upgrading to the patched versions. The fix involves improving escaping during conflict resolution (GitHub Advisory).