CVE-2023-37914

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.2-rc-1

Description The issue concerns the XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros, including Groovy and Python macros, allowing remote code execution with unrestricted read and write access to all wiki contents.

Recommendations For XWiki Platform versions prior to 14.4.8, upgrade to version 14.4.8 or later. For XWiki Platform versions prior to 14.10.6, upgrade to version 14.10.6 or later. For XWiki Platform versions prior to 15.2-rc-1, upgrade to version 15.2-rc-1 or later. As a temporary workaround for users unable to upgrade, manually apply the patch on Invitation.InvitationCommon and Invitation.InvitationConfig.