CVE-2023-29515

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.1 XWiki Platform versions prior to 15.0 RC1

Description The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes. If the button should be disabled because the user doesn't have global edit right, the app can also be created by directly opening "/xwiki/bin/view/AppWithinMinutes/CreateApplication?wizard=true" on the XWiki installation.

Recommendations To resolve the issue for versions prior to 13.10.11, upgrade to version 13.10.11 or later. To resolve the issue for versions prior to 14.4.8, upgrade to version 14.4.8 or later. To resolve the issue for versions prior to 14.10.1, upgrade to version 14.10.1 or later. To resolve the issue for versions prior to 15.0 RC1, upgrade to version 15.0 RC1 or later. As a temporary workaround, consider denying view access to AppWithinMinutes.LiveTableEditSheet to prevent creation and editing of App Within Minutes apps.