CVE-2023-29201 Information

Description

XWiki Commons are technical libraries common to several other top level XWiki projects. The estricted\ mode of the HTML cleaner in XWiki introduced in version 4.2-milestone-1 only escaped <script> and <style>-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like <iframe>. As a consequence any code relying on this estricted\ mode for security is vulnerable to JavaScript injection (## Reference https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2 https://jira.xwiki.org/browse/XCOMMONS-1680 https://jira.xwiki.org/browse/XWIKI-9118 https://jira.xwiki.org/browse/XCOMMONS-2426 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182