CVE-2023-41046: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a vulnerability (CVE-2023-41046) that allows users to execute Velocity code without having script rights. The vulnerability affects versions from 7.2 up to (excluding) 14.10.10 and from 15.0 up to (excluding) 15.4. The issue was discovered and disclosed in September 2023 (GitHub Advisory).

The vulnerability exists in the TextArea property type of XWiki Platform. Users can exploit this by creating an XClass with a property of type 'TextArea' and content type either 'VelocityCode' or 'VelocityWiki'. For VelocityCode exploitation, the document syntax needs to be set to 'xwiki/1.0'. The vulnerability has a CVSS v3.1 base score of 6.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (GitHub Advisory).

When exploited, the vulnerability allows execution of Velocity code regardless of the author's rights, though edit rights are still required. While the code executes with the correct context author preventing access to privileged APIs, it still grants access to otherwise inaccessible data and APIs that could enable further privilege escalation (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.10 and 15.4 RC1. There are no known workarounds, and users are advised to upgrade to the patched versions (GitHub Advisory).