XWiki Platform RCE (CVE-2023-37462)
Description
XWiki Platform contains a code injection vulnerability in the SkinsCode.XWikiSkinsSheet component that allows authenticated users with view-level permissions to inject and execute arbitrary code. This vulnerability enables attackers to execute server-side scripts including Groovy and Python macros, leading to remote code execution on the XWiki server.
Remediation
Immediately upgrade XWiki Platform to a patched version to remediate this vulnerability. Apply one of the following versions based on your current installation: version 14.4.8 or later for the 14.4.x branch, version 14.10.4 or later for the 14.10.x branch, or version 15.0-rc-1 or later for the 15.x branch. After upgrading, verify that the SkinsCode.XWikiSkinsSheet component is properly patched by reviewing the security advisory. If immediate patching is not possible, consider restricting view access permissions to trusted users only as a temporary mitigation measure until the upgrade can be completed.