CVE-2023-40177

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 4.3M2 through 14.10.4 XWiki Platform versions prior to 15.1RC1

Description The issue is related to the execution of arbitrary scripts with programming rights by any registered user through the content field of their user profile page, effectively performing rights escalation. This is possible because the AppWithinMinutes Application added support for the Content field since version 4.3M2, allowing any wiki page to use its content as an AWM Content field with a custom displayer that executes the content with the rights of the AppWithinMinutes.Content author.

Recommendations For XWiki Platform versions 4.3M2 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions prior to 15.1RC1, update to version 15.1RC1 or later. As a temporary workaround for older versions, modify the content of the AppWithinMinutes.Content page to use the display script service to render the content.