CVE-2023-40177: 
Java vulnerability analysis and mitigation

CVE-2023-40177 affects XWiki Platform, a generic wiki platform, from version 4.3M2 up to versions prior to 14.10.5 and 15.1RC1. The vulnerability was discovered when AppWithinMinutes Application added support for the Content field, allowing any wiki page (including user profile pages) to use its content as an AWM Content field (GitHub Advisory).

The vulnerability stems from a custom displayer in the AppWithinMinutes.Content page that executes content with the rights of the AppWithinMinutes.Content author instead of the content author's rights. This implementation flaw allows for privilege escalation through content field manipulation. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L, indicating high severity with network attack vector and low attack complexity (GitHub Advisory).

The vulnerability allows any registered user to execute arbitrary scripts with programming rights through their user profile page's content field, effectively achieving privilege escalation. This could lead to unauthorized access and potential system compromise (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.5 and 15.1RC1. The fix modifies the AppWithinMinutes.Content page to use the display script service for content rendering, ensuring proper author rights checks. For older unpatched versions, administrators can manually modify the AppWithinMinutes.Content page to replace the content rendering method with the secure display script service (GitHub Advisory).