CVE-2023-26473: 
Java vulnerability analysis and mitigation

CVE-2023-26473 affects XWiki Platform, a generic wiki platform. The vulnerability was discovered in version 1.3-rc-1 and allows any user with edit rights to execute arbitrary database select queries and access data stored in the database. The issue was disclosed on March 1, 2023, and has been patched in versions 13.10.11, 14.4.7, and 14.10 (GitHub Advisory).

The vulnerability exists in the DatabaseListProperty and suggest.vm components of XWiki Platform. It allows unauthorized users to execute arbitrary database select queries through the Database List field type in the class editor. The vulnerability has a CVSS v3.1 score of 6.5 (Moderate) with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality: High, Integrity: None, Availability: None (GitHub Advisory).

The vulnerability allows attackers to access sensitive data stored in the database, bypassing normal access controls. Even without scripting rights, an attacker can query and retrieve content from private pages that they would normally not have permission to view (Jira XWiki).

The only recommended mitigation is to upgrade to one of the patched versions: XWiki 13.10.11, 14.4.7, or 14.10. No other workarounds are available for this vulnerability (GitHub Advisory).