CVE-2023-26055

Name of the Vulnerable Software and Affected Versions XWiki Commons versions 3.1-milestone-1 through 13.10.8 XWiki Commons versions 14.0.0 through 14.4.3 XWiki Commons versions 14.5.0 through 14.7RC0

Description The issue allows any user to edit their own profile and inject code, which is executed with programming rights. This can also be exploited in other places where short text properties are displayed, such as in apps created using Apps Within Minutes that use a short text field.

Recommendations For versions 3.1-milestone-1 through 13.10.8, update to version 13.10.9 or later. For versions 14.0.0 through 14.4.3, update to version 14.4.4 or later. For versions 14.5.0 through 14.7RC0, update to version 14.7RC1 or later. As a temporary workaround, consider restricting access to short text properties until a patch is applied.