CVE-2024-21650: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a critical remote code execution (RCE) vulnerability (CVE-2024-21650) in its user registration feature. The vulnerability was discovered in January 2024 and affects all installations with user registration enabled for guests. The vulnerability impacts versions prior to 14.10.17, 15.0-rc-1 through 15.5.3, and 15.6-rc-1 through 15.8-rc-1 (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code by crafting malicious payloads in the 'first name' or 'last name' fields during user registration. The issue stems from improper handling of user input in the RegistrationConfig.xml file, where user inputs were directly embedded into the registration success message without appropriate sanitization. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (NIST) and 10.0 CRITICAL (GitHub) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (NVD, GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code on affected systems through the user registration process. This could potentially lead to complete system compromise, unauthorized data access, and system control. The attack requires no user interaction or special privileges, making it particularly dangerous for systems with guest registration enabled (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.17, 15.5.3, and 15.8 RC1. For users unable to update immediately, a workaround is available by modifying the 'Registration Successful Message' in the administration panel under 'Users & Rights' > 'Registration'. The workaround involves using $xwiki.getUserName for secure user link construction and proper message templating (GitHub Advisory, GitHub Commit).