CVE-2023-45134

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.1-milestone-1 through 13.4-rc-1 org.xwiki.platform:xwiki-platform-web-templates versions prior to 14.10.2 and 15.5-rc-1 org.xwiki.platform:xwiki-web-standard versions 2.4-milestone-2 through 3.1-milestone-1

Description The issue allows an attacker to create a template provider on any document that is part of the wiki, which contains malicious code. This code is executed when the template provider is selected during document creation, which can be triggered by sending the user to a URL. The attacker only needs to have an account, as the own user profile is editable by default. This enables the attacker to execute arbitrary actions with the rights of the user opening the malicious link, potentially allowing remote code execution and full read and write access to the whole XWiki installation.

Recommendations For versions 3.1-milestone-1 through 13.4-rc-1 of XWiki Platform, update to version 13.4-rc-1 or later. For versions prior to 14.10.2 and 15.5-rc-1 of org.xwiki.platform:xwiki-platform-web-templates, update to version 14.10.2 or 15.5-rc-1 or later. For versions 2.4-milestone-2 through 3.1-milestone-1 of org.xwiki.platform:xwiki-web-standard, update to version 3.1-milestone-1 or later. As a temporary workaround, consider manually applying the changes from the fix to the vulnerable template file createinline.vm.