CVE-2023-50722

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 2.3 through 14.10.14 XWiki Platform versions 14.10.15 through 15.5.1 XWiki Platform versions 15.5.2 through 15.7-rc-1

Description The issue concerns a reflected XSS or direct remote code execution vulnerability in the code for displaying configurable admin sections. This vulnerability can be exploited by passing malicious code through a URL parameter, which is executed when a user with edit rights on at least one configuration section visits the crafted URL. It does not require the attacker to have an account or access on the wiki, making it sufficient to trick an admin user into visiting the malicious URL. This vulnerability allows full remote code execution with programming rights, impacting the confidentiality, integrity, and availability of the whole XWiki installation.

Recommendations For XWiki Platform versions 2.3 through 14.10.14, update to version 14.10.15 or later. For XWiki Platform versions 14.10.15 through 15.5.1, update to version 15.5.2 or later. For XWiki Platform versions 15.5.2 through 15.7-rc-1, update to version 15.7RC1 or later. As a temporary workaround, consider restricting access to the configurable admin sections until a patch is applied. The patch can be manually applied to the document XWiki.ConfigurableClass.