CVE-2023-27479

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.7 XWiki Platform versions prior to 14.10-rc-1

Description The issue allows any user with view rights to execute arbitrary Groovy, Python, or Velocity code in XWiki, leading to full access to the XWiki installation. The root cause is improper escaping of UIX parameters. A proof of concept exploit involves adding an XWiki.UIExtensionClass xobject to the user profile page with specific Extension Parameters content, including label={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}, and then navigating to the PanelsCode.ApplicationsPanelConfigurationSheet page, which should not execute the Groovy script but may display "Hello from groovy!" if the issue is present.

Recommendations For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.7, upgrade to version 14.4.7 or later. For versions prior to 14.10-rc-1, upgrade to version 14.10-rc-1 or later. As a temporary workaround for users unable to upgrade, edit the PanelsCode.ApplicationsPanelConfigurationSheet wiki page and apply the modifications shown in commit 6de5442f3c.