CVE-2023-46731: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-46731) was discovered in XWiki Platform, affecting versions prior to 14.10.14 and versions 15.0-rc-1 through 15.5.1. The vulnerability stems from improper escaping of the section URL parameter used in displaying administration sections, allowing any user with read access to the document XWiki.AdminSheet (including unauthenticated users by default) to execute arbitrary code, including Groovy code (GitHub Advisory).

The vulnerability is classified as a Code Injection (CWE-94) and Eval Injection (CWE-95) issue. It received a CVSS v3.1 base score of 10.0 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating network accessibility, low attack complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability impacts the confidentiality, integrity, and availability of the entire XWiki instance. Successful exploitation allows attackers to execute arbitrary code, potentially leading to complete system compromise. The vulnerability affects all users with read access to the XWiki.AdminSheet document, which by default includes unauthenticated users (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.14, 15.6 RC1, and 15.5.1. For users unable to upgrade, a manual fix can be applied by modifying the document XWiki.AdminSheet to replace the vulnerable code. Alternatively, to protect against attacks from unauthenticated users, the view right for guests can be removed from the affected document, as it is only needed for space and wiki administrators (GitHub Advisory).