CVE-2023-29522: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a critical security vulnerability (CVE-2023-29522) that allows any user with view rights to execute arbitrary script macros including Groovy and Python macros. The vulnerability enables remote code execution with unrestricted read and write access to all wiki contents. The issue was discovered in December 2022 and patched in April 2023. The vulnerability affects versions from 7.0-rc-1 up to (excluding) versions 14.4.8, 14.10.3, and 15.0RC1 (GitHub Advisory, NVD).

The vulnerability stems from improper input validation where an attacker can craft a malicious payload within a non-existing page name. When such a page is accessed with specific parameters, it triggers the execution of arbitrary script macros. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L, indicating network accessibility, low attack complexity, and high impact on confidentiality and integrity (GitHub Advisory).

The vulnerability allows attackers with basic view permissions to execute arbitrary code on the server, leading to complete system compromise. This includes the ability to read and write any wiki content, effectively bypassing all security restrictions. The attack can be performed remotely and requires minimal user interaction, making it particularly dangerous for exposed XWiki installations (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.4.8, 14.10.3, and 15.0RC1. Users are strongly advised to upgrade to these or newer versions. The fix primarily involves improvements to the escaping mechanism in XWiki.ClassSheet. There are no known workarounds other than upgrading to a patched version (GitHub Advisory).