Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml

`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Web页面标识中非法字符转义处理不恰当

XWiki Platform 跨站脚本漏洞

XWiki Platform是法国XWiki基金会的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 14.6-rc-1到14.10.4版本存在安全漏洞，该漏洞源于HTML 元素清理器会接受无效数据属性，允许跨站脚本攻击。

N/A

N/A