CVE-2023-29521: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a critical security vulnerability (CVE-2023-29521) that allows any user with view rights to execute arbitrary Groovy, Python, or Velocity code, potentially leading to full access to the XWiki installation. The vulnerability stems from improper escaping of Macro.VFSTreeMacro. This vulnerability affects versions from 7.4-milestone-2 and has been patched in versions 15.0-rc-1, 14.10.2, 14.4.8, and 13.10.11 (GitHub Advisory).

The vulnerability is classified as a privilege escalation issue with a CVSS v3.1 base score of 8.8 HIGH (NIST: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The root cause is identified as improper neutralization of special elements in output used by a downstream component (CWE-74). The vulnerability exists in the VFS Tree macro component, which allows XWiki syntax injection through the root parameter, enabling unauthorized execution of arbitrary code (NVD, Jira Issue).

The vulnerability allows attackers to execute arbitrary Groovy, Python, or Velocity code with full access to the XWiki installation, compromising the system's confidentiality, integrity, and availability. It's worth noting that while the VFS Tree macro is part of xwiki-platform, it is not bundled with XWiki by default, which somewhat limits the potential impact (GitHub Advisory).

The primary mitigation is to upgrade to the patched versions: XWiki 15.0-rc-1, 14.10.2, 14.4.8, or 13.10.11. There are no known workarounds for this vulnerability, making the upgrade the only secure solution (NVD).