CVE-2023-29206: 
Java vulnerability analysis and mitigation

XWiki Commons, which are technical libraries common to several other top level XWiki projects, contained a vulnerability (CVE-2023-29206) where there was no check on the author of JavaScript xobject or StyleSheet xobject added in a XWiki document. This allowed users with only Edit Rights to create objects and craft scripts that could be executed by users with appropriate rights. The vulnerability was discovered in versions after 3.0-milestone-1 and was patched in XWiki 14.9-rc-1 (GitHub Advisory).

The vulnerability stems from insufficient authorization checks in the skin extension plugin system. When a JavaScript or StyleSheet object was added to a document, the system did not verify if the author had the necessary Script rights before executing the content. This oversight allowed users with only Edit rights to inject potentially malicious scripts that would be executed when accessed by users with higher privileges (XWIKI Jira). The vulnerability has a CVSS v3.1 base score of 9.0 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability could lead to privilege escalation and cross-site scripting (XSS) attacks. An attacker with edit rights could craft malicious scripts that, when executed by users with higher privileges, could perform unauthorized operations such as creating pages, modifying content, or executing arbitrary code with elevated permissions (XWIKI Jira).

The vulnerability was patched in XWiki 14.9-rc-1 by implementing a check that only executes scripts if the author has Script rights. For unpatched versions, there is a workaround available that involves applying a patch to the xwiki-platform-skin-skinx component and rebuilding/redeploying it (GitHub Advisory).