CVE-2023-37913

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.5-milestone-1 through 14.10.7 XWiki Platform versions 15.3-rc-1 and earlier

Description Triggering the office converter with a specially crafted file name allows writing the attachment's content to an attacker-controlled location on the server as long as the Java process has write access to that location. This could be used to replace the jar-file of an extension, allowing execution of arbitrary Java code and impacting the confidentiality, integrity, and availability of the XWiki installation. The issue can be reproduced by uploading an attachment through the REST API, which doesn't remove / or `` from the filename, and using the attachment move feature to rename the file to a desired location.

Recommendations For XWiki Platform versions 3.5-milestone-1 through 14.10.7, update to version 14.10.8 or later. For XWiki Platform versions 15.3-rc-1 and earlier, update to version 15.3RC1 or later. As a temporary workaround, consider disabling the office converter until a patch is available.