CVE-2023-26055: 
Java vulnerability analysis and mitigation

XWiki Commons, a set of technical libraries common to several XWiki projects, was found to contain a critical privilege escalation vulnerability (CVE-2023-26055) affecting versions from 3.1-milestone-1 onwards. The vulnerability allows any user to edit their own profile and inject code that would be executed with programming rights. Additionally, the same vulnerability could be exploited in other areas where short text properties are displayed, such as in applications created using Apps Within Minutes that use short text fields (GitHub Advisory).

The vulnerability stems from improper escaping of text elements in XML context, specifically in the XWikiUtils#escapeElementText functionality. When a user sets their first name to contain specific markup like {{cache}} and {{groovy}}, the content is interpreted and executed instead of being properly escaped. This allows for the execution of arbitrary code with elevated privileges (XCOMMONS-2498).

The vulnerability allows for privilege escalation from a regular user to programming rights, enabling attackers to execute arbitrary code with elevated privileges. This could lead to complete compromise of the XWiki instance, including the ability to modify system configurations and access sensitive data (GitHub Advisory).

The vulnerability has been patched in XWiki versions 13.10.9, 14.4.4, and 14.7RC1. There are no other workarounds available besides upgrading XWiki or patching the xwiki-commons-xml JAR file (GitHub Advisory).