CVE-2023-36469: 
Java vulnerability analysis and mitigation

CVE-2023-36469 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered in February 2023 and disclosed on June 29, 2023. It affects XWiki versions from 9.6-rc-1 to versions before 14.10.6, and versions from 15.0-rc-1 to versions before 15.2-rc-1 (GitHub Advisory).

The vulnerability allows any user with the ability to edit their own user profile and notification settings to execute arbitrary script macros, including Groovy and Python macros. This occurs through the NotificationRSSService component when processing RSS feeds. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability enables remote code execution with unrestricted read and write access to all wiki contents. An attacker can exploit this to gain programming rights and execute arbitrary code on the system, effectively achieving privilege escalation from a regular user account (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. As a workaround, administrators can manually patch the affected document 'XWiki.Notifications.Code.NotificationRSSService'. However, this workaround may break the difference links functionality and requires additional changes to Velocity templates. The mentions template, being contained in a .jar file, cannot be fixed without replacing the jar (GitHub Advisory).