CVE-2023-29523

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.2 XWiki Platform versions prior to 15.0RC1

Description The issue allows any user who can edit their own user profile to execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution with unrestricted read and write access to all wiki contents. This can also be exploited in other contexts where the display method on a document is used to display a field with wiki syntax, such as in applications created using App Within Minutes.

Recommendations For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 14.10.2, upgrade to version 14.10.2 or later. For versions prior to 15.0RC1, upgrade to version 15.0RC1 or later.