-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-web-templates | maven | >= 12.0-rc-1, < 14.10.12 | 14.10.12 |
| org.xwiki.platform:xwiki-platform-web-templates | maven | >= 15.0-rc-1, < 15.5-rc-1 | 15.5-rc-1 |
The vulnerability stems from unescaped Velocity template outputs in createinline.vm. The commit diff shows that the fix involved adding $escapetool.xml() wrappers around $services.localization.render() calls for two error messages. This indicates the original code lacked proper output encoding for the templateProvider and allowedSpaces values, which are derived from user-controlled document names. The test cases added in CreateInlinePageTest.java demonstrate that HTML payloads in these parameters were rendered unescaped, confirming the XSS vector.
Ongoing coverage of React2Shell