CVE-2023-40573

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.9 XWiki Platform versions prior to 15.4RC1

Description The XWiki Platform has a vulnerability related to insufficient access control. This can be exploited for remote code execution by an attacker with edit rights on the wiki. The issue arises from the combination of a lack of control over modifying or adding job scripts to documents and a CSRF vulnerability in the job scheduler. An attacker can create a scheduled job containing a Groovy script, which can be triggered by embedding an image in a document visited by an admin, potentially leading to the execution of arbitrary code. If the attack is successful, an error log entry with "Job content executed" will be produced.

Recommendations For versions prior to 14.10.9, update to version 14.10.9 or later. For versions prior to 15.4RC1, update to version 15.4RC1 or later. As a temporary workaround, consider restricting access to the job scheduler and limiting the ability to create or modify scheduled jobs to only trusted users. Avoid using the com.xpn.xwiki.plugin.scheduler.GroovyJob class in scheduled jobs until the issue is resolved.