Marius Dumitru Florea

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 15.10.2 XWiki Platform versions prior to 16.4.1 XWiki Platform versions prior to 16.6.0-rc-1 **Description** A user with only `edit right` can join a realtime editing session where others have `script` or `programming` access rights. This user can then insert `script rendering macros` that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. **Recommendations** For XWiki Platform versions prior to 15.10.2, upgrade to version 15.10.2 or later. For XWiki Platform versions prior to 16.4.1, upgrade to version 16.4.1 or later. For XWiki Platform versions prior to 16.6.0-rc-1, upgrade to version 16.6.0-rc-1 or later. As a temporary workaround, consider disabling the `xwiki-realtime` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editor extension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).