GHSA-h2xq-h7f9-vh6c
CRITICALXWiki Blog Application home page vulnerable to Stored XSS via Post Title
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
org.xwiki.contrib.blog:application-blog-uiReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The Blog Application is vulnerable to Stored Cross-Site Scripting (XSS) via the Blog Post Title. The vulnerability arises because the post title is injected directly into the HTML <title> tag without proper escaping.
An attacker with permissions to create or edit blog posts can inject malicious JavaScript into the title field. This script will execute in the browser of any user (including administrators) who views the blog post. This leads to potential session hijacking or privilege escalation.
To reproduce:
- Log in as a user with rights to create blog posts.
- Create a new blog post.
- In the Title field, insert the following payload designed to break out of the title tag:
</title><script>alert('XSS in title blog')</script> - Save (Publish) the post.
- View the post in the blog home page
Patches
The vulnerability has been patched in the blog application version 9.15.7 by adding missing escaping.
Workarounds
XWiki Blog Application maintainers are not aware of any workarounds.
Resources
- https://jira.xwiki.org/browse/BLOG-245
- https://github.com/xwiki-contrib/application-blog/commit/cca87f0a0edc2e7e049d46d51f4a4d8f78b714ba
Attribution
Łukasz Rybak reported this vulnerability.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.xwiki.contrib.blog:application-blog-ui | all versions | 9.15.7 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.xwiki.contrib.blog:application-blog-ui. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.xwiki.contrib.blog:application-blog-ui to 9.15.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-h2xq-h7f9-vh6c is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-h2xq-h7f9-vh6c is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-h2xq-h7f9-vh6c. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-h2xq-h7f9-vh6c in your dependencies?
O3 detects GHSA-h2xq-h7f9-vh6c across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.