CVE-2023-46243: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it, was found to contain a critical vulnerability (CVE-2023-46243) that allows privilege escalation and remote code execution. The vulnerability affects all versions from 1.0 up to (excluding) 14.10.6 and versions from 15.0 up to (excluding) 15.2RC1. The issue was discovered and disclosed in November 2023, allowing users with edit rights to execute arbitrary content with the privileges of an existing document's content author (GitHub Advisory).

The vulnerability stems from the edit action functionality where a user can execute content with the rights of an existing document's content author if they have edit permissions. The attack can be performed by crafting a specific URL in the format /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello%2Bfrom%2BGroovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view, which allows execution of arbitrary Groovy code on the server. The vulnerability has been assigned a CVSS v3.1 score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers with edit permissions to execute arbitrary code with elevated privileges, potentially leading to complete system compromise. This affects the confidentiality, integrity, and availability of the entire XWiki installation, as attackers can execute Groovy code with the permissions of a document's content author who has programming rights (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. Users are strongly advised to upgrade to these or newer versions. There are no known workarounds for this vulnerability, making the upgrade the only effective mitigation strategy (GitHub Advisory).