CVE-2023-29512

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.1 XWiki Platform versions prior to 15.0-rc-1

Description The issue allows any user with edit rights on a page to execute arbitrary Groovy, Python, or Velocity code in XWiki, leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm, and packagelist.vm. This page is installed by default.

Recommendations For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 14.10.1, upgrade to version 14.10.1 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider applying the patch on imported.vm, importinline.vm, and packagelist.vm to fix the issue.