CVE-2023-50722: 
Java vulnerability analysis and mitigation

CVE-2023-50722 affects XWiki Platform, a generic wiki platform, from version 2.3 up to versions 14.10.15, 15.5.2, and 15.7-rc-1. The vulnerability was discovered in December 2023 and involves a reflected XSS (Cross-Site Scripting) and remote code execution vulnerability in the code for displaying configurable admin sections (GitHub Advisory).

The vulnerability exists in the code for displaying configurable admin sections where malicious code can be passed through a URL parameter. The vulnerability is triggered when a user with edit rights on at least one configuration section visits a crafted URL. The issue has been assigned a CVSS v3.1 base score of 9.6 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

This vulnerability allows full remote code execution with programming rights, impacting the confidentiality, integrity, and availability of the entire XWiki installation. The attacker can execute arbitrary code with elevated privileges when a user with administrative access visits a specially crafted URL (GitHub Advisory).

The vulnerability has been fixed in XWiki versions 14.10.15, 15.5.2, and 15.7RC1. For users unable to upgrade immediately, the patch can be manually applied to the document XWiki.ConfigurableClass (GitHub Advisory).