CVE-2023-29210

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 13.10.11 XWiki versions prior to 14.4.7 XWiki versions prior to 14.10

Description Any user with view rights on commonly accessible documents, including the notification preferences macros, can execute arbitrary Groovy, Python, or Velocity code in XWiki, leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provides the notification filters. These macros are used in the user profiles and thus installed by default in XWiki.

Recommendations For XWiki versions prior to 13.10.11, update to version 13.10.11 or later. For XWiki versions prior to 14.4.7, update to version 14.4.7 or later. For XWiki versions prior to 14.10, update to version 14.10 or later. As a temporary workaround, consider patching the code in the affected macros that are contained in XWiki documents as shown in the patch for this issue.