CVE-2023-46243

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.2RC1

Description The issue allows a user to execute any content with the right of an existing document's content author, provided the user has edit right on it. A crafted URL of the form /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view can be used to execute arbitrary groovy code on the server.

Recommendations For XWiki Platform versions prior to 14.10.6, update to version 14.10.6 or later. For XWiki Platform versions prior to 15.2RC1, update to version 15.2RC1 or later. As a temporary workaround, consider restricting the edit action for users without programming or script right until a patch is applied. Avoid using the content parameter in the affected API endpoint /xwiki/bin/edit/ until the issue is resolved.