CVE-2023-46244: 
Java vulnerability analysis and mitigation

CVE-2023-46244 is a critical security vulnerability affecting XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered and disclosed in November 2023, affecting versions from 3.2-milestone-3 up to (excluding) 14.10.7 and versions from 15.0 up to (excluding) 15.2. This vulnerability allows privilege escalation where users with script rights can execute velocity content with the permissions of any other document content author (GitHub Advisory).

The vulnerability is classified as CWE-863 (Incorrect Authorization) and has received a CVSS v3.1 base score of 9.1 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. The issue occurs when a user with script rights but without programming rights can write a script where velocity content is executed with the rights of another document's content author. The expected behavior would be that calls requiring programming rights should display raw content, but instead, the vulnerability allows execution of the script with elevated privileges (NVD, GitHub Advisory).

The vulnerability enables privilege escalation from script rights to programming rights, allowing attackers to execute unauthorized code with elevated privileges. This could potentially lead to complete system compromise as attackers can execute commands with the permissions of other document content authors, including administrators (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.7 and 15.2RC1. Users are strongly advised to upgrade to these or later versions. There are no known workarounds for this vulnerability (GitHub Advisory).