CVE-2023-26474

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 13.10 through 14.4.6 XWiki Platform versions 13.10 through 13.10.10 XWiki Platform versions 14.0 through 14.4.6

Description The issue allows an attacker to use the rights of an existing document content author to execute a text area property. This can be achieved by inserting specific text in source mode, such as {{groovy}}println("hello from groovy!"){{/groovy}}, and then saving and viewing the changes. There are no known workarounds for this issue.

Recommendations For XWiki Platform versions 13.10 through 13.10.10, update to version 13.10.11. For XWiki Platform versions 14.0 through 14.4.6, update to version 14.4.7 or 14.10. As a temporary workaround, consider restricting access to the text area property until a patch is applied.