CVE-2023-29528 Information

Description

XWiki Commons are technical libraries common to several other top level XWiki projects. The estricted\ mode of the HTML cleaner in XWiki introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1 allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence any code relying on this estricted\ mode for security is vulnerable to JavaScript injection (## Reference https://jira.xwiki.org/browse/XWIKI-20348 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h https://jira.xwiki.org/browse/XCOMMONS-2568 https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab