CVE-2023-29524

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.3 XWiki Platform versions prior to 15.0 RC1

Description The issue allows a user without script or programming rights to execute arbitrary code by adding a new object of type XWiki.SchedulerJobClass to their user profile and inserting groovy code in the "Job Script" field. This code will be executed in the server context when viewed. The estimated number of potentially affected devices is not specified. There are no reported real-world incidents of this issue being exploited. Technical details include the ability to execute code with the rights of the Scheduler Application sheet page. The XWiki.SchedulerJobClass object and Job Script field are key components in exploiting this issue.

Recommendations For XWiki Platform versions prior to 14.10.3, upgrade to version 14.10.3 or later. For XWiki Platform versions prior to 15.0 RC1, upgrade to version 15.0 RC1 or later. As a temporary workaround, consider restricting access to the object editor and the XWiki.SchedulerJobClass object to minimize the risk of exploitation. Avoid using the "Job Script" field in the XWiki.SchedulerJobClass object until the issue is resolved.