CVE-2023-29509

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 13.10.11 XWiki versions prior to 14.4.7 XWiki versions prior to 14.10

Description Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki, leading to full access to the XWiki installation. The root cause is improper escaping of the documentTree macro parameters. This macro is installed by default in FlamingoThemesCode.WebHome.

For example, opening the URL <xwiki host>/xwiki/bin/view/%22%20%2F%7D%7D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=FlamingoThemesCode.WebHome&xpage=view demonstrates a privilege escalation from view to programming rights.

Recommendations For XWiki versions prior to 13.10.11, update to version 13.10.11 or later. For XWiki versions prior to 14.4.7, update to version 14.4.7 or later. For XWiki versions prior to 14.10, update to version 14.10 or later. As a temporary workaround, consider replacing the code of FlamingoThemesCode.WebHome with the patched version.