CVE-2023-29519

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.2 XWiki Platform versions prior to 15.0-rc-1

Description The issue exists due to the lack of measures to neutralize special elements, allowing a remote attacker to execute arbitrary code. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the property field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki.

Recommendations For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 14.10.2, upgrade to version 14.10.2 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider applying the changes directly in XWiki.AttachmentSelector page, as described in the commit https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1.