CVE-2020-13654

Vulnerability

XWiki Platform versions prior to 12.8 mishandle escaping in the property displayer, resulting in a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient output encoding when rendering user-supplied data in profile fields such as "Company" [4].

Exploitation

An attacker who can edit user profile fields—either as an administrator or through self-registration—can inject arbitrary JavaScript. The malicious script is stored on the server and executed in the browsers of any user who views the affected profile page. No special privileges beyond the ability to edit a profile are required [4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, access to sensitive information, or unauthorized actions performed on behalf of the victim [4].

Mitigation

The issue is fixed in XWiki Platform version 12.8. Users are advised to upgrade to this version or later. The fix was implemented in pull request #1315, which addresses the escaping flaw in the property displayer [1][3].