CVE-2024-38369: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, contains a critical security vulnerability where programming rights can be inherited through document inclusion. The vulnerability, identified as CVE-2024-38369, was disclosed on June 24, 2024. The issue affects versions from 1.5-milestone-2 up to versions before 15.0-rc-1, where content included using the include macro is executed with the rights of the includer rather than the content's author (GitHub Advisory).

The vulnerability is classified as CWE-863 (Incorrect Authorization) and has received a Critical CVSS v3.1 score of 10.0. The attack vector is Network-based with Low attack complexity, requiring Low privileges and No user interaction. The scope is Changed, with High impact on Confidentiality, Integrity, and Availability. The technical issue specifically relates to the {{include reference="targetdocument"}} macro, where the included content executes with the privileges of the including document rather than maintaining proper authorization boundaries (GitHub Advisory).

The vulnerability allows any user with the ability to modify a target document to effectively impersonate the author of the content that used the include macro. This can lead to privilege escalation and potential unauthorized access to sensitive information or functionality within the wiki platform (GitHub Advisory).

The vulnerability has been patched in XWiki 15.0 RC1 by implementing a safer default behavior. For users unable to upgrade immediately, a workaround is available in version 14.10.2 that allows forcing the execution of included content with the target content author's privileges instead of the default behavior. Additionally, administrators should ensure that included documents are properly protected to restrict modification access to authorized users only (GitHub Advisory).