CVE-2023-46242

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.7 XWiki Platform versions prior to 15.2RC1

Description The issue allows an attacker to execute content with the rights of any user via a crafted URL. A user must have programming privileges to exploit this vulnerability. This is possible because the edit action sets and executes the page content without checking for a cross-site request forgery (CSRF) token. For example, an attacker can make a user with programming rights visit a URL like <xwiki-host>/xwiki/bin/edit/Main/?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view, where <xwiki-host> is the URL of the XWiki installation, to execute the Groovy macro.

Recommendations For XWiki Platform versions prior to 14.10.7, upgrade to version 14.10.7 or later. For XWiki Platform versions prior to 15.2RC1, upgrade to version 15.2RC1 or later. As a temporary workaround, consider restricting access to the programming privileges until a patch is applied. Avoid using the groovy macro in the affected API endpoint until the issue is resolved.