CVE-2023-29525

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.3 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 15.0-rc-1

Description The XWiki Platform is vulnerable to code injection in the since parameter of the "/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration" endpoint. This allows an XWiki syntax injection attack, enabling privilege escalation from view to programming rights and subsequent code execution privilege.

Recommendations For versions prior to 14.10.3, upgrade to version 14.10.3 or later. For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. For versions prior to 14.6-rc-1, modify the file <xwikiwebapp>/templates/distribution/eventmigration.wiki to add the missing escaping. For versions 14.6-rc-1 and later, modify the page XWiki.Notifications.Code.LegacyNotificationAdministration to add the missing escaping.