CVE-2023-50732: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a vulnerability (CVE-2023-50732) that allows execution of Velocity scripts without script rights through the document tree. The vulnerability affects versions from 8.3-rc-1 up to versions 14.10.7 and 15.2RC1, which contain the fixes (GitHub Advisory).

The vulnerability is classified as CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.3 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L). The issue allows unauthorized users to execute Velocity scripts through the document tree functionality, even without having script execution rights. The vulnerability stems from the document tree macro setting the title which changes the document's author to the author of XWiki.DocumentTreeMacros, allowing script execution (GitHub Advisory, XWiki Issue).

The vulnerability can lead to privilege escalation, potentially allowing attackers to gain programming rights through various exploit chains. While some exploits require admin interaction, others can be executed without any user interaction. The vulnerability affects confidentiality, integrity, and availability at low levels across the system (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.7 and 15.2RC1. As a workaround, users can modify the page XWiki.DocumentTreeMacros by replacing the code #set ($discard = $translatedDocument.setTitle($translatedDocument.title)) with #set ($discard = $translatedDocument.setcomment('')) (GitHub Advisory).