CVE-2023-36470

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.1

Description The issue allows an attacker to inject XWiki syntax and Velocity code, which is executed with programming rights, thus enabling remote code execution. This can be achieved by creating or editing a document with an icon set. The icon picker can be used to trigger the rendering of any icon set. The XWiki syntax variant of the icon set is used without escaping in some documents, allowing the injection of script macros. The HTML output of the icon set is output as JSON in the icon picker and interpreted as XWiki syntax, allowing the injection of script macros into a document with programming rights. This impacts the confidentiality, integrity, and availability of the whole XWiki instance.

Recommendations For versions prior to 14.10.6, upgrade to version 14.10.6 or later. For versions prior to 15.1, upgrade to version 15.1 or later. As a temporary workaround, consider restricting access to the icon picker and editing of icon themes to minimize the risk of exploitation. Avoid using the icon set's HTML or XWiki syntax definition in documents until the issue is resolved. Restrict the use of the icon picker endpoint to prevent the rendering of malicious icon sets.