CVE-2023-46731
Summary
A vulnerability in XWiki Platform allows unauthenticated users to execute arbitrary code, including Groovy code, by exploiting the improperly escaped 'section' URL parameter. This flaw affects the confidentiality, integrity, and availability of XWiki instances. Patches are available in versions 14.10.14, 15.6 RC1, and 15.5.1, with manual fixes also suggested for users unable to upgrade.
IFF Assessment
This vulnerability enables unauthenticated attackers to execute arbitrary code, posing a significant risk to the confidentiality, integrity, and availability of XWiki instances.
Severity
Defender Context
This critical vulnerability in XWiki Platform allows for remote code execution by unauthenticated users, highlighting the need for prompt patching and careful review of default access controls. Defenders should prioritize updating XWiki instances to the patched versions and consider restricting guest access to sensitive administrative documents.