CVE-2023-29517

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.10.1 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 15.0-rc-1

Description The office document viewer macro in XWiki Platform allows anyone to see any file content from the hosting server, provided that the office server is connected and depending on the permissions of the user running the servlet engine. This issue also allows performing internal requests to resources from the hosting server.

Recommendations For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.10.1, upgrade to version 14.10.1 or later. For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider running XWiki in a sandbox with a user with very low privileges on the machine.