CVE-2023-29509: 
Java vulnerability analysis and mitigation

CVE-2023-29509 is a critical security vulnerability discovered in XWiki Commons, affecting versions from 7.2-rc-1 up to versions before 13.10.11, 14.4.7, and 14.10. The vulnerability allows any user with view rights on commonly accessible documents to execute arbitrary Groovy, Python, or Velocity code in XWiki, potentially leading to full access to the XWiki installation (GitHub Advisory).

The vulnerability stems from improper escaping of the documentTree macro parameters in FlamingoThemesCode.WebHome, which is installed by default. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers with basic view permissions to escalate their privileges to full programming rights, potentially gaining complete access to the XWiki installation. This could lead to unauthorized access to sensitive data, system manipulation, and potential compromise of the entire XWiki platform (GitHub Advisory).

The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7, and 14.10. For systems unable to update immediately, the issue can be fixed by replacing the code of FlamingoThemesCode.WebHome with the patched version that properly escapes the documentTree macro parameters (GitHub Commit).