CVE-2023-26478: 
Java vulnerability analysis and mitigation

CVE-2023-26478 affects XWiki Platform, a generic wiki platform. The vulnerability was discovered in version 14.3-rc-1 and was patched in versions 14.9-rc-1 and 14.4.6. The issue involves the org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment method returning an instance of com.xpn.xwiki.doc.XWikiAttachment, which is not intended to be exposed to users without proper programming rights (GitHub Advisory).

The vulnerability stems from a method implementation that returns an XWikiAttachment instance instead of using the proper com.xpn.xwiki.api.Attachment class. The latter class is designed to handle user rights verification before performing potentially dangerous operations. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, while GitHub assessed it with a score of 6.6 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-749 (Exposed Dangerous Method or Function) (NVD).

The vulnerability could allow users without proper programming rights to access and manipulate sensitive attachment data through the exposed XWikiAttachment class. This exposure could lead to unauthorized operations and potential security breaches in the system (GitHub Advisory).

The vulnerability has been patched in XWiki Platform versions 14.9-rc-1 and 14.4.6. The fix involves modifying the TemporaryAttachmentsScriptService to return a proper com.xpn.xwiki.api.Attachment instance instead of the XWikiAttachment class. There are no known workarounds for this issue, and users are advised to upgrade to the patched versions (GitHub Advisory).