We found a possible XSS vector in the FlamingoThemesCode.WebHomeSheet
wiki page related to the “newThemeName” form field.
The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.
The easiest workaround is to edit the wiki page FlamingoThemesCode.WebHomeSheet
(with wiki editor) and change the line
<input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" />
into
<input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" />
If you have any questions or comments about this advisory: