CVE-2023-29510

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.2 XWiki Platform version 15.0 RC1 and earlier

Description The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user, which also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping, allowing remote code execution for any user who has edit access on at least one document, which could be the user's own profile where edit access is enabled by default.

Recommendations For XWiki Platform versions prior to 14.10.2, upgrade to version 14.10.2 or later. For XWiki Platform version 15.0 RC1 and earlier, upgrade to a patched version. As a temporary workaround, consider restricting the XWiki.TranslationDocumentClass object with scope USER to minimize the risk of exploitation. Restrict access to the wiki editor and object editor to prevent users from adding malicious translations.