CVE-2023-46244

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.7 XWiki Platform versions prior to 15.2RC1

Description The issue is related to authentication errors in the XWiki Platform, allowing a remote attacker to gain the rights of the XWiki.superadmin user. This can occur when a user writes a script that executes velocity content with the rights of any other document content author, despite not having programming rights. The expected result would be the content author of the document, but due to the security issue, the attacker can obtain the rights of XWiki.superadmin.

Recommendations For XWiki Platform versions prior to 14.10.7, upgrade to version 14.10.7 or later. For XWiki Platform versions prior to 15.2RC1, upgrade to version 15.2RC1 or later. As a temporary workaround, consider restricting the use of velocity content execution with the rights of other document content authors until a patch is applied. Avoid using the velocity API to execute scripts with elevated privileges until the issue is resolved.