CVE-2023-32071: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, was found to contain a critical vulnerability (CVE-2023-32071) that affects versions from 2.2-milestone-1 up to versions 14.4.8, 14.10.4, and 15.0-rc-1. The vulnerability was discovered and reported by René de Sain (@renniepak) through the Intigriti platform. The issue was disclosed on May 9, 2023, and allows attackers to execute JavaScript code with the rights of any user by leading them to a specially crafted URL targeting a page containing an attachment (GitHub Advisory).

The vulnerability is classified as a Reflected Cross-Site Scripting (RXSS) issue, identified with CWE-79 and CWE-116 (Improper Encoding or Escaping of Output). It received a CVSS v3.1 base score of 9.0 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The exploit involves manipulating the 'editor' parameter in the importinline template through a specially crafted URL, which can lead to JavaScript execution in the context of the victim's browser (GitHub Advisory).

If successfully exploited, an attacker can execute JavaScript code with the privileges of the victim user. This allows the attacker to perform any action within the application that the user can perform, view any information accessible to the user, and modify any information that the user has permission to modify (JIRA Issue).

The vulnerability has been patched in XWiki versions 15.0-rc-1, 14.10.4, and 14.4.8. For users unable to update immediately, a workaround is available by editing the file '/templates/importinline.vm' and applying the modification described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01 (GitHub Advisory).