CVE-2023-36469

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.2RC1

Description The issue allows any user who can edit their own user profile and notification settings to execute arbitrary script macros, including Groovy and Python macros. This enables remote code execution with unrestricted read and write access to all wiki contents. The exploitation can be achieved by manipulating the user profile settings and executing malicious code through the notification system.

Recommendations For versions prior to 14.10.6, update to version 14.10.6 or later. For versions prior to 15.2RC1, update to version 15.2RC1 or later. As a temporary workaround, consider manually patching the affected document XWiki.Notifications.Code.NotificationRSSService. However, this will require additional changes to Velocity templates and may break certain functionality.