CVE-2023-26477: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, was found to contain a critical vulnerability (CVE-2023-26477) that allows injection of arbitrary wiki syntax, including Groovy, Python, and Velocity script macros. The vulnerability affects versions starting from 6.3-rc-1 and 6.2.4, and was patched in versions 13.10.10, 14.9-rc-1, and 14.4.6. The vulnerability was discovered in the platform's handling of the newThemeName request parameter (GitHub Advisory).

The vulnerability stems from improper neutralization of directives in dynamically evaluated code (Eval Injection) within the org.xwiki.platform:xwiki-platform-flamingo-theme-ui component. The issue occurs when processing the newThemeName request parameter in combination with additional parameters form_token=1 and action=create. The vulnerability allows attackers to inject and execute arbitrary wiki syntax, including script macros, through URL parameters. The vulnerability has been assigned a CVSS v3.1 score of 10.0 (Critical) with vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code on the server through script injection. This could lead to complete system compromise, as attackers can inject and execute Groovy, Python, and Velocity script macros. The high severity rating indicates potential for significant impact on system confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, administrators can manually edit the FlamingoThemesCode.WebHomeSheet file and implement the changes from the security patch. The fix involves proper escaping of translation macro parameters (GitHub Advisory, GitHub Commit).