CVE-2023-29507

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 14.4.7 XWiki versions prior to 14.10

Description The Document script API returns directly a DocumentAuthors, allowing to set any authors to the document. This can allow subsequent executions of scripts since this author is used for checking rights. An example of such an attack involves setting the content author to 'xwiki:XWiki.superadmin' using the velocity template engine and the setContentAuthor method.

Recommendations For versions prior to 14.4.7, update to version 14.4.7 or later to patch the issue. For versions prior to 14.10, update to version 14.10 or later to patch the issue. As a temporary workaround, consider restricting the use of the Document script API until a patch is available. Avoid using the authors variable in the affected API endpoint until the issue is resolved.