CVE-2023-29519: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-29519) was discovered in XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability affects versions from 3.0-rc-1 up to versions before 13.10.11, 14.4.8, 14.10.2, and 15.0-rc-1. The issue was discovered and reported by René de Sain (@renniepak) (GitHub Advisory).

The vulnerability is classified as an Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in the org.xwiki.platform:xwiki-platform-attachment-ui component. It has been assigned a CVSS v3.1 score of 9.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating high severity impacts on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability allows a registered user to perform remote code execution leading to privilege escalation. This can be achieved by injecting malicious code in the 'property' field of an attachment selector, specifically when used as a gadget in their own dashboard. The vulnerability does not affect wiki comments (GitHub Advisory).

The vulnerability has been patched in XWiki versions 13.10.11, 14.4.8, 14.10.2, and 15.0-rc-1. Users are advised to upgrade to these or later versions. A temporary workaround is available by applying specific changes to the XWiki.AttachmentSelector page as detailed in commit 5e8725b (GitHub Advisory).