CVE-2023-26474: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, contains a critical vulnerability (CVE-2023-26474) that affects versions from 13.10 onwards. The vulnerability allows users to execute text area properties with the rights of an existing document content author, effectively enabling privilege escalation. This issue was discovered in November 2022 and has been patched in XWiki versions 14.10, 14.4.7, and 13.10.11 (GitHub Advisory).

The vulnerability stems from TextAreaClass overriding the security document that is explicitly set by $doc.display, causing the system to use the content author's privileges instead of the displayed object's author. This affects any TextAreaClass property with wiki syntax enabled that is displayed using the regular displayer. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability allows attackers with limited privileges to execute code with elevated permissions, potentially leading to unauthorized access to sensitive information and system compromise. For example, an attacker can execute Groovy scripts through the wiki syntax in text areas, even without having script or programming rights (XWIKI Jira).

The vulnerability has been patched in XWiki versions 14.10, 14.4.7, and 13.10.11. Users are strongly advised to upgrade to these patched versions as there are no known workarounds for this vulnerability (GitHub Advisory).