CVE-2023-29211: 
Java vulnerability analysis and mitigation

CVE-2023-29211 affects XWiki Commons, technical libraries common to several XWiki projects. The vulnerability was discovered in October 2022 and publicly disclosed in April 2023. Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python, or Velocity code in XWiki due to improper escaping of the wikiId url parameter. The vulnerability affects versions from 5.3-milestone-2 and has been patched in XWiki versions 13.10.11, 14.4.7, and 14.10 (GitHub Advisory).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code). It has received a CVSS v3.1 base score of 9.9 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability stems from insufficient input validation of the wikiId URL parameter in the DeleteWiki functionality (XWiki Issue).

The vulnerability allows authenticated users with view rights to WikiManager.DeleteWiki to execute arbitrary Groovy, Python, or Velocity code, leading to full access to the XWiki installation. This represents a significant privilege escalation from basic view rights to programming rights (GitHub Advisory).

The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7, and 14.10. Users are advised to upgrade to these patched versions. For those unable to upgrade immediately, a manual patch can be applied to fix the issue (GitHub Advisory).