XWiki Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2022-36097

XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1 it39s possible to store JavaScript in an attachment name which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround one may copy moveStep1.vm to webapp/xwiki/templates/moveStep1.vm and replace vulnerable code with code from the patch.