CVE-2023-41046

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.10 XWiki Platform versions prior to 15.4 RC1

Description The issue is related to errors in authorization, allowing a remote attacker to execute arbitrary web scripts with elevated privileges. In XWiki, it is possible to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". The Velocity code is executed regardless of the rights of the author of the property, although edit right is still required. This behavior could allow further privilege escalation.

Recommendations For XWiki Platform versions prior to 14.10.10, upgrade to version 14.10.10 or later. For XWiki Platform versions prior to 15.4 RC1, upgrade to version 15.4 RC1 or later. As a temporary workaround, consider restricting access to the Velocity code execution feature until a patch is applied. Avoid using the "VelocityCode" or "VelocityWiki" content types in the "TextArea" property until the issue is resolved.