CVE-2023-50721: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, was found to contain a critical vulnerability (CVE-2023-50721) affecting versions from 4.5-rc-1 up to versions 14.10.15, 15.5.2, and 15.7-rc-1. The vulnerability was discovered in the search administration interface, where improper escaping of search user interface extensions allowed for XWiki syntax injection (GitHub Advisory).

The vulnerability stems from insufficient escaping in the search administration interface, specifically in handling the id and label of search user interface extensions. This allows attackers to inject XWiki syntax containing script macros, including Groovy macros, enabling remote code execution. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) by GitHub, and 8.8 HIGH by NIST (NVD).

The vulnerability impacts the confidentiality, integrity, and availability of the entire XWiki instance. Any user with the ability to edit wiki pages, including their own profile (which is editable by default), can exploit this vulnerability as user interface extensions can be added on any document (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.15, 15.5.2, and 15.7-rc-1. For users unable to upgrade immediately, the patch can be manually applied to the page 'XWiki.SearchAdmin' as a workaround (GitHub Advisory).