CVE-2023-27480: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a vulnerability (CVE-2023-27480) that allows users with edit rights to trigger a XAR import on a forged XAR file, potentially exposing the content of any file on the XWiki server host. The vulnerability was discovered and disclosed on March 7, 2023, affecting versions from 1.1-milestone-3 up to versions before 13.10.11, 14.4.7, and 14.10-rc-1 (GitHub Advisory).

The vulnerability is classified as an XML External Entity (XXE) attack with a CVSS v3.1 base score of 7.7 (High). The attack vector is Network-based, with Low attack complexity and requiring Low privileges. No user interaction is needed, and the scope is Changed. The vulnerability primarily impacts confidentiality (High), while integrity and availability remain unaffected (GitHub Advisory).

When exploited, this vulnerability allows an attacker with edit rights to access and display the content of any file on the XWiki server host through a specially crafted XAR file. This represents a significant data leak vulnerability that could expose sensitive system files and configurations (GitHub Advisory).

The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7, and 14.10-rc-1. For users unable to upgrade, a manual workaround is available by applying the patch e3527b98fd to the XarPackage java class, which involves adding DOCTYPE disallowance in the XML parser (GitHub Commit).