CVE-2023-35166

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.5 XWiki Platform versions prior to 15.1-rc-1

Description The issue allows execution of any wiki content with the rights of the TipsPanel author by creating a tip UI extension. This can be achieved by adding an object of type UIExtensionClass and setting specific parameters, including the tip parameter with a groovy macro. The groovy macro is executed when the "Help.TipsPanel" document is opened and refreshed.

Recommendations For XWiki Platform versions prior to 14.10.5, update to version 14.10.5 or later. For XWiki Platform versions prior to 15.1-rc-1, update to version 15.1-rc-1 or later. As a temporary workaround, consider restricting access to the UIExtensionClass object and the "Help.TipsPanel" document to minimize the risk of exploitation.