CVE-2023-29523: 
Java vulnerability analysis and mitigation

CVE-2023-29523 is a critical vulnerability in XWiki Platform, discovered in April 2023, affecting versions from 3.3-milestone-1 up to (but not including) 13.10.11, 14.4.8, and 14.10.2. The vulnerability allows users with profile editing privileges to execute arbitrary script macros, including Groovy and Python, enabling remote code execution (GitHub Advisory).

The vulnerability stems from improper neutralization of directives in dynamically evaluated code in the display method used in user profiles. The issue occurs when the display method on a document is used to display a field with wiki syntax. The vulnerability can be exploited by injecting specific HTML and script macro combinations, allowing execution of arbitrary code with unrestricted read and write access to wiki contents. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary script macros including Groovy and Python macros, enabling remote code execution with unrestricted read and write access to all wiki contents. This can be exploited through user profiles and applications created using App Within Minutes, potentially compromising the entire wiki system (GitHub Advisory).

The vulnerability has been patched in XWiki versions 13.10.11, 14.4.8, 14.10.2, and 15.0RC1. There are no workarounds available other than upgrading to a patched version (GitHub Advisory).