CVE-2023-37909

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 5.1-rc-1 through 14.10.7 XWiki Platform versions 15.3-rc-1 and earlier

Description The issue allows any user who can edit their own user profile to execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution with unrestricted read and write access to all wiki contents. This can be achieved by adding an object of type UIExtensionClass to the user profile and setting the Extension Point ID to a malicious value, such as {{/html}}{{async async=false cache=false}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}}. The attack can be reproduced by accessing the <xwiki-host>/xwiki/bin/edit/XWiki/<username>?sheet=Menu.UIExtensionSheet endpoint.

Recommendations For XWiki Platform versions 5.1-rc-1 through 14.10.7, update to version 14.10.8 or later. For XWiki Platform versions 15.3-rc-1 and earlier, update to version 15.3-rc-1 or later. As a temporary workaround, the patch can be manually applied to the document Menu.UIExtensionSheet; only three lines need to be changed.