Nancheal

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 12.10.9 XWiki Platform versions prior to 13.4.3 XWiki Platform versions prior to 13.7-rc-1 **Description** The issue allows any user with SCRIPT right to read any file located in the XWiki WAR, such as xwiki.cfg and xwiki.properties, through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. **Recommendations** For versions prior to 12.10.9, update to version 12.10.9 or later. For versions prior to 13.4.3, update to version 13.4.3 or later. For versions prior to 13.7-rc-1, update to version 13.7-rc-1 or later. As a temporary workaround, consider limiting the SCRIPT right to trusted users.