CVE-2023-46732: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to be vulnerable to reflected cross-site scripting (RXSS) via the rev parameter in the content menu. The vulnerability was identified with CVE-2023-46732 and was discovered in versions from 9.7-rc-1 up to (excluding) 14.10.14 and from 15.0-rc-1 up to (excluding) 15.5.1. The issue was disclosed on November 6, 2023, and was reported by Agostino Parentela, Vulnerability Management Engineer of TicketOne S.p.A (GitHub Advisory).

The vulnerability stems from improper handling of the rev parameter in the content menu, where the parameter value is used without proper escaping. This can be demonstrated by accessing a specially crafted URL containing malicious JavaScript code in the rev parameter. The vulnerability has been assigned a CVSS v3.1 base score of 9.6 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating its severe nature (GitHub Advisory, NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary actions in the name of the user who clicks on a malicious link. In cases where the victim has programming rights, the attacker could achieve remote code (Groovy) execution, potentially compromising the confidentiality, integrity, and availability of the entire XWiki installation (GitHub Advisory).

The vulnerability has been patched in XWiki versions 15.6 RC1, 15.5.1, and 14.10.14. Users are advised to upgrade to these patched versions. Alternatively, the patch from commit 04e325d57 can be manually applied without requiring a system upgrade or restart (GitHub Advisory).