CVE-2023-46242: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a critical vulnerability (CVE-2023-46242) that allows execution of content with the rights of any user via a crafted URL. The vulnerability affects versions from 1.0 up to (excluding) 14.10.7 and from 15.0 up to (excluding) 15.2. The issue was patched in XWiki versions 14.10.7 and 15.2RC1 (GitHub Advisory, XWiki Jira).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) attack combined with potential Remote Code Execution (RCE). It has received a CVSS v3.1 base score of 9.6 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). The exploit requires a user with 'programming' privileges to visit a specially crafted URL, which can be accomplished through social engineering techniques such as embedding the malicious URL as an image source (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary content with the privileges of any user who has programming rights on the system. This could lead to complete system compromise through remote code execution, potentially affecting the confidentiality, integrity, and availability of the system (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.7 and 15.2RC1. Users are strongly advised to upgrade to these or later versions as there are no known workarounds for this vulnerability (GitHub Advisory).