CVE-2023-29518: 
Java vulnerability analysis and mitigation

CVE-2023-29518 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered and disclosed in April 2023, allowing any user with view rights to execute arbitrary Groovy, Python, or Velocity code in XWiki, leading to full access to the XWiki installation. The root cause was identified as improper escaping of Invitation.InvitationCommon, a page installed by default (GitHub Advisory, NVD).

The vulnerability stems from improper escaping in the Invitation.InvitationCommon page, which contains a rights object that explicitly grants view rights to all users and guests. The CVSS v3.1 base score is 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) (GitHub Advisory).

The vulnerability allows attackers with view rights to execute arbitrary code, including Groovy, Python, or Velocity scripts, potentially leading to complete compromise of the XWiki installation. This could result in unauthorized access to all wiki contents and full system control. The vulnerability is particularly severe as it affects a default installation component and could potentially be exploited on otherwise relatively closed wikis (Jira Issue).

The vulnerability has been patched in XWiki versions 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. Users are advised to upgrade to these or newer versions. For users unable to upgrade immediately, a manual patch can be applied to the Invitation.InvitationCommon page (GitHub Advisory).