A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability of the whole XWiki instance.
The problem has been patched by properly escaping the URL parameters.
The patch can be applied manually to templates/changesdoc.vm in the deployed WAR.
XWiki thanks Mike Cole @mikecole-mg for discovering and reporting this vulnerability.
16.10.1617.4.817.10.1Exploitability
AV:NAC:LAT:NPR:NUI:PVulnerable System
VC:NVI:NVA:NSubsequent System
SC:HSI:HSA:H6.5/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H