CVE-2023-50723

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 2.3 through 14.10.14 XWiki Platform versions 15.5.1 and earlier XWiki Platform versions prior to 15.7-rc-1

Description The issue is related to incorrect code generation management in the XWiki Platform, allowing a remote attacker to execute arbitrary code. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile, making this exploitable by all users of the XWiki instance.

Recommendations For XWiki Platform versions 2.3 through 14.10.14, update to version 14.10.15 or later. For XWiki Platform versions 15.5.1 and earlier, update to version 15.5.2 or later. For XWiki Platform versions prior to 15.7-rc-1, update to version 15.7-rc-1 or later. As a temporary workaround, consider manually applying the fixes for the vulnerability by editing the XWiki.ConfigurableClassMacros and XWiki.ConfigurableClass pages. Restrict access to the administration interface to minimize the risk of exploitation. Avoid using the XWiki.ConfigurableClass object with specially crafted names until the issue is resolved.