Description
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.
Remediation
References
Related Vulnerabilities
WordPress Plugin Mobile Events Manager CSV Injection (1.4.7)
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-2572)
WordPress Plugin WooCommerce Product Attachment Cross-Site Scripting (1.1.2)
SharePoint Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-1261)
WordPress Plugin Calendar Unspecified Vulnerability (1.3.10)