XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

XWiki Rendering 安全漏洞

XWiki Rendering是XWiki基金会的一个通用渲染系统，它将给定语法（wiki 语法、HTML 等）中的文本输入转换为另一种语法（XHTML 等）。 XWiki Rendering 5.4.5至14.10之前版本存在安全漏洞，该漏洞源于XHTML语法依赖xdom+xml/current语法，可能导致跨站脚本攻击。

N/A

N/A