CVE-2023-26471

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 11.6-rc-1 through 14.8 XWiki Platform versions 14.4.0 through 14.4.5 XWiki Platform versions 13.10.0 through 13.10.9

Description The XWiki Platform is a generic wiki platform where comments are supposed to be executed with the right of superadmin but in restricted mode. However, the async macro does not take into account the restricted mode, allowing any user with comment right to use the async macro to make it execute any wiki content with the right of superadmin.

Recommendations For XWiki Platform versions 11.6-rc-1 through 14.8, update to version 14.9. For XWiki Platform versions 14.4.0 through 14.4.5, update to version 14.4.6. For XWiki Platform versions 13.10.0 through 13.10.9, update to version 13.10.10. As a temporary workaround, consider applying a patch and rebuilding and redeploying org.xwiki.platform:xwiki-platform-rendering-async-macro.