-
CVSS Score
-The vulnerability stems from improper output encoding in the importinline.vm Velocity template. The pre-patch code concatenated raw request parameters ($request.editor and $request.section) into a query string without proper URL encoding. This allowed attackers to inject HTML/JavaScript payloads through the editor parameter that would execute when rendered. The commit diff shows the fix added URL encoding via $escapetool.url(), confirming the lack of proper output encoding was the root cause. The template's handling of these parameters in the query string construction is the clear vulnerable code path.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-distribution-war | maven | >= 2.2-milestone-1, < 14.4.8 | 14.4.8 |
| org.xwiki.platform:xwiki-platform-distribution-war | maven | >= 14.5, < 14.10.4 | 14.10.4 |