Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.
Remediation
References
Related Vulnerabilities
WordPress Plugin FV Flowplayer Video Player Cross-Site Scripting (7.4.37.727)
MediaWiki Improper Handling of Exceptional Conditions Vulnerability (CVE-2020-25869)
MySQL CVE-2020-14773 Vulnerability (CVE-2020-14773)
WordPress Plugin Backup Scheduler Cross-Site Request Forgery (1.5.13)
Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-12167)