CVE-2023-36477

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.1 XWiki Platform versions older than 14.6RC1 with CKEditor Integration extension prior to 1.64.9

Description The issue allows any user with edit rights to edit all pages in the CKEditor space, enabling harmful actions such as removing technical documents and editing the javascript configuration of CKEditor, leading to persistent XSS.

Recommendations For XWiki Platform versions prior to 14.10.6, upgrade to version 14.10.6 or later. For XWiki Platform versions prior to 15.1, upgrade to version 15.1 or later. For XWiki Platform versions older than 14.6RC1, update the CKEditor Integration extension to version 1.64.9 or later. As a temporary workaround, consider restricting the edit and delete rights to a trusted user or group, such as the XWiki.XWikiAdminGroup group, to minimize the risk of exploitation.