CVE-2023-26475

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 2.3-milestone-1 through 13.10.10 XWiki Platform versions 14.4.6 and earlier XWiki Platform versions prior to 14.10

Description The annotation displayer in XWiki Platform does not execute content in a restricted context, allowing execution of arbitrary code with the rights of the author of any document by annotating the document. This issue has been patched in XWiki 13.10.11, 14.4.7, and 14.10. To reproduce the issue, an annotation can be added with content like {{groovy}}print "hello"{{/groovy}}, and upon clicking to display the annotation inline, it should result in an error but instead prints "hello".

Recommendations For XWiki Platform versions 2.3-milestone-1 through 13.10.10, upgrade to version 13.10.11 or later. For XWiki Platform versions 14.4.6 and earlier, upgrade to version 14.4.7 or later. For XWiki Platform versions prior to 14.10, upgrade to version 14.10 or later. As a temporary workaround, consider restricting the use of the annotation feature until a patch is applied.