Found an XSS bug in xwiki. Below are the details of the bug which have been verified from my end.
Example Vulnerable Link:
URL encoded GET input qs was set to 1" onmouseover=prompt(922101) bad="
The input is reflected inside a tag parameter between double quotes.
How to fix this vulnerability
Script should filter metacharacters from user input.