CVE-2023-29206

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 14.9-rc-1

Description The issue arises from the lack of checks on the author of a JavaScript xobject or StyleSheet xobject added to a XWiki document. This allowed a user with only Edit Right to create such an object and craft a script that could perform certain operations when executed by a user with appropriate rights.

Recommendations For versions prior to 14.9-rc-1, update to XWiki 14.9-rc-1 or later, which patches the issue by only executing the script if the author of it has Script rights. As a temporary workaround, consider applying the patch and rebuilding and redeploying xwiki-platform-skin-skinx.