CVE-2023-45138: 
Java vulnerability analysis and mitigation

The XWiki Change Request Extension (CVE-2023-45138) is a critical vulnerability discovered in versions 0.11 through 1.9.2 of the Change Request application. This vulnerability allows users without any specific rights to perform script injection and remote code execution by simply inserting malicious content in the title when creating a new Change Request. The vulnerability was disclosed on October 12, 2023, and has been fixed in version 1.9.2 (GitHub Advisory).

The vulnerability stems from improper input validation in the Change Request application's title handling functionality. It is classified as CWE-79 (Cross-site Scripting) and allows for both XSS and remote code execution capabilities. The vulnerability has received a CVSS v3.1 base score of 10.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating the highest possible severity level (GitHub Advisory).

The vulnerability's impact is particularly critical as it affects a core functionality intended for users without special privileges. An attacker can exploit this vulnerability to execute arbitrary code on the system, potentially leading to complete system compromise. The vulnerability affects confidentiality, integrity, and availability of the system, all rated as 'High' in the CVSS scoring (GitHub Advisory).

The primary mitigation is to upgrade to Change Request version 1.9.2 or later. For users unable to upgrade immediately, a workaround is available by editing the document 'ChangeRequest.Code.ChangeRequestSheet' and implementing the same changes as in the fix commit 7565e72. The fix involves proper escaping of the title content to prevent script injection (GitHub Advisory).