CVE-2023-36477: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a critical security vulnerability (CVE-2023-36477) that affects versions from 1.9 up to 1.64.9 of the CKEditor Integration and XWiki versions from 14.6 up to 14.10.6. The vulnerability was discovered and disclosed on June 30, 2023, allowing any user with edit rights to modify all pages in the CKEditor space (GitHub Advisory).

The vulnerability stems from improper access control in the CKEditor space, where users with basic edit permissions could access and modify critical configuration pages. This security flaw enables unauthorized users to edit javascript configurations and perform unauthorized actions. The vulnerability has been assigned a CVSS v3.1 base score of 9.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) by GitHub, while NVD rates it as 5.4 MEDIUM. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability can lead to multiple severe consequences including the removal of technical documents resulting in service disruption, and the ability to inject malicious JavaScript code leading to persistent Cross-Site Scripting (XSS) attacks. This allows attackers to potentially execute arbitrary code in users' browsers when they access affected pages (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.6 and 15.1, as well as in CKEditor Integration extension version 1.64.9 for XWiki versions older than 14.6RC1. For users unable to upgrade immediately, a manual workaround is available by restricting the 'edit' and 'delete' rights to trusted users or groups (e.g., the XWiki.XWikiAdminGroup group), effectively disabling these permissions for all other users (GitHub Advisory, GitHub Patch).