Change Request Application vulnerable to XSS and remote code execution through change request title

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the fix commit.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Change Request 跨站脚本漏洞

Change Request是XWiki Contrib开源的一个库。 Change Request 存在跨站脚本漏洞，该漏洞源于没有任何特定权限的用户只需在创建新的变更请求时插入适当的标题即可执行脚本注入和远程代码执行。

N/A

N/A