CVE-2023-29527

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.3 XWiki Platform versions prior to 15.0-rc-1

Description The issue allows a user without script or programming rights to edit a user profile or any other document with the wiki editor and add groovy script content. When the document is viewed after saving, the groovy script is executed in the server context, providing code execution. This can be exploited by a remote attacker to inject arbitrary code.

Recommendations For versions prior to 14.10.3, upgrade to version 14.10.3 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider restricting access to the wiki editor for users without script or programming rights until a patch is applied. Avoid using the groovy script content in documents until the issue is resolved.