CVE-2023-32069: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, contains a critical vulnerability (CVE-2023-32069) that affects versions from 3.3-milestone-2 up to versions 14.10.4 and 15.0-rc-1. The vulnerability allows users to execute arbitrary code with the privileges of the author of the XWiki.ClassSheet document (GitHub Advisory).

The vulnerability stems from improper authorization controls in the ClassSheet functionality. An attacker can exploit this by adding a DocumentSheetBinding object with the value 'Default Class Sheet' to their user profile and then injecting malicious code through the wiki editor. When the page is viewed, the injected code executes with the privileges of the XWiki.ClassSheet document's author rather than the current user's privileges (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 9.9 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) (NVD).

The vulnerability allows authenticated users to execute arbitrary code with elevated privileges, potentially leading to complete system compromise. This can result in unauthorized access to sensitive data, system modifications, and potential service disruptions (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.4 and 15.0-rc-1. Users are strongly advised to upgrade to these or later versions. There are no known workarounds for this vulnerability (GitHub Advisory).