CVE-2023-37910: 
Java vulnerability analysis and mitigation

CVE-2023-37910 affects XWiki Platform, a generic wiki platform, from version 14.0-rc-1 up to versions 14.4.8, 14.10.4, and 15.0-rc-1. The vulnerability was discovered and reported through Intigriti by researcher Mete, and has been assigned a CVSS v3.1 base score of 8.1 (HIGH) (GitHub Advisory).

The vulnerability is classified as CWE-862 (Missing Authorization) and allows unauthorized access to attachments through the attachment move functionality. The vulnerability exists in the org.xwiki.platform:xwiki-platform-attachment-api component and has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating network accessibility with low attack complexity and requiring low privileges (GitHub Advisory).

An attacker with edit access on any document (including user profiles which are editable by default) can move any attachment from any other document to their controlled document. This allows unauthorized access and potential publication of any attachment whose name is known, regardless of the attacker's view or edit rights on the source document. Additionally, the attachment is deleted from the source document (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.4.8, 14.10.4, and 15.0-rc-1. There are no workarounds available, and users must upgrade to a fixed version to mitigate the vulnerability (GitHub Advisory).