CVE-2023-32069

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.3-milestone-2 through 14.10.3 XWiki Platform versions prior to 15.0-rc-1

Description The issue is related to authorization errors in the XWiki Platform, allowing a remote attacker to elevate their privileges. A user can execute actions with the rights of the author of the XWiki.ClassSheet document. This can be achieved by editing the user profile with the object editor and adding a specific object, then editing the profile with the wiki editor and adding certain syntax. The estimated number of potentially affected devices is not provided. There are no known real-world incidents where this issue was exploited.

Recommendations For XWiki Platform versions 3.3-milestone-2 through 14.10.3, update to version 14.10.4 to resolve the issue. For XWiki Platform versions prior to 15.0-rc-1, update to version 15.0-rc-1 to resolve the issue. As a temporary workaround, consider restricting access to the DocumentSheetBinding object and the groovy syntax in the wiki editor to minimize the risk of exploitation.