XWiki Improper Control of Generation of Code (Code Injection) Vulnerability - CVE-2023-26477

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4 it39s possible to inject arbitrary wiki syntax including Groovy Python and Velocity script macros via the newThemeName request parameter (URL parameter) in combination with additional parameters. This has been patched in the supported versions 13.10.10 14.9-rc-1 and 14.4.6. As a workaround it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.