CVE-2023-29213

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.7 XWiki Platform versions prior to 14.10

Description The issue is related to insufficient authentication of executed requests. It is possible to trick a user with programming rights into visiting a constructed URL, which can evaluate an expression and execute it. This can lead to remote code execution, privilege escalation, or data leaks. The problem can be exploited by embedding an image with a malicious URL in a document viewed by a user with programming rights.

Recommendations For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.7, upgrade to version 14.4.7 or later. For versions prior to 14.10, upgrade to version 14.10 or later. As a temporary workaround, consider restricting access to the org.xwiki.platform:xwiki-platform-logging-ui module to minimize the risk of exploitation. Avoid using the loggeraction set and logger name parameters in the affected API endpoint until the issue is resolved.