CVE-2023-29526

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.3 XWiki Platform versions prior to 15.0-rc-1

Description The issue allows an attacker to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be executed when viewed, providing a code injection vector in the context of the running server. This can be exploited by creating a comment with content such as {{async}}{{display reference="Menu.WebHome" /}}{{/async}} and then opening the comments viewer. There are no known workarounds for this issue.

Recommendations For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 14.10.3, upgrade to version 14.10.3 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider disabling the async and display macros until a patch is available. Restrict access to comments for guests to minimize the risk of exploitation. Avoid using the reference variable in the display macro until the issue is resolved.