CVE-2023-26477

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 6.3-rc-1 through 13.10.9 XWiki Platform versions 6.2.4 through 14.4.5 XWiki Platform versions 14.4.6 is not affected, but versions prior to 14.4.6 are

Description The issue allows injecting arbitrary wiki syntax, including Groovy, Python, and Velocity script macros, via the newThemeName request parameter in combination with additional parameters form token=1&action=create. This can lead to the execution of malicious code on the server. For example, a request to "/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form token=1&action=create" will execute the Groovy code println("hello from groovy!") on the server.

Recommendations For versions 6.3-rc-1 through 13.10.9, update to version 13.10.10 or later. For versions 6.2.4 through 14.4.5, update to version 14.4.6 or later. As a temporary workaround for all affected versions, edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.