Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Invitation.InvitationCommon`. This page is installed by default. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this issue.
Remediation
References
https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-px54-3w5j-qjg9
https://jira.xwiki.org/browse/XWIKI-20283
Related Vulnerabilities
CVE-2022-35916 Vulnerability in npm package @openzeppelin/contracts
CVE-2021-31712 Vulnerability in npm package react-draft-wysiwyg
CVE-2021-32803 Vulnerability in npm package tar
CVE-2021-4279 Vulnerability in maven package org.webjars.npm:fast-json-patch
CVE-2022-23617 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore