CVE-2023-50732

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.7 XWiki Platform versions prior to 15.2RC1

Description The issue allows execution of a Velocity script without script right through the document tree. This can be exploited by a user without script right creating a document with a title set to $request.requestURI, which upon saving and viewing, executes the Velocity code, as indicated by the navigation panel displaying a document named with the current URL.

Recommendations For versions prior to 14.10.7, update to XWiki 14.10.7. For versions prior to 15.2RC1, update to 15.2RC1. As a temporary workaround, consider modifying the page XWiki.DocumentTreeMacros by changing the code #set ($discard = $translatedDocument.setTitle($translatedDocument.title)) to #set ($discard = $translatedDocument.setcomment('')).