CVE-2023-36468

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.7 XWiki Platform versions prior to 15.2RC1 XWiki Platform versions prior to 13.10.6 XWiki Platform versions prior to 14.4

Description The XWiki Platform has a vulnerability that allows remote code execution, affecting the confidentiality, integrity, and availability of the whole XWiki installation. This issue arises when an XWiki installation is upgraded, and the upgrade contains a fix for a bug in a document. The vulnerability can still be exploited by adding rev=1.1 to the URL used in the reproduction steps, even after upgrading. This vulnerability also affects manually added script macros that contained security vulnerabilities that were later fixed without deleting the vulnerable versions from the history. The issue does not affect freshly installed versions of XWiki or content loaded from the current version of a document, such as wiki macros or UI extensions.

Recommendations For XWiki Platform versions prior to 14.10.7, update to version 14.10.7 or later. For XWiki Platform versions prior to 15.2RC1, update to version 15.2RC1 or later. For XWiki Platform versions prior to 13.10.6, update to version 13.10.6 or later. For XWiki Platform versions prior to 14.4, update to version 14.4 or later. As a temporary workaround, admins can manually delete old revisions of affected documents. A script can be used to identify all installed documents and delete the history for them. However, manually added and later corrected code may also be affected, so it is easy to miss documents.