CVE-2024-38369

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 15.0 RC1

Description The content of a document included using {{include reference="targetdocument"/}} is executed with the rights of the includer and not with the rights of its author. This means that any user able to modify the target document can impersonate the author of the content which used the include macro.

Recommendations For versions prior to 15.0 RC1, make sure to protect any included document to ensure only allowed users can modify it. A workaround is available in 14.10.2 to allow forcing the execution of the included content with the target content author instead of the default behavior. Update to XWiki 15.0 RC1 or later, where the default behavior has been made safe.