XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.
The wiki macro creation mechanism (WikiMacroClass) does not require administrator privileges — a regular user account is sufficient. An attacker can add an appropriately crafted `XWiki.WikiMacroClass` instance to any page, which leads to arbitrary server-side code execution. The vulnerability is classified as indirect script injection (CWE-96) and code injection (CWE-94), and its scope extends beyond a single component context (CVSS Scope: Changed).
An attacker with any user account can take full control of the XWiki instance, gaining unauthorized access to data, the ability to modify it, and the ability to disrupt platform operations.
XWiki Platform should be updated to version 15.10.11, 16.4.1, or 16.5.0. As a workaround, it is possible to manually apply a patch on the `XWiki.XWikiSyntaxMacrosList` page in accordance with the vendor's reference instructions.
XWiki Platform versions from 9.7-rc-1 to 15.10.10 inclusive, as well as versions from the 16.x branch before 16.4.1 and 16.5.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HXwiki
APPXwiki16.5.09.7 – 15.10.11 (bez)16.0.0 – 16.4.1 (bez)
Related vulnerabilities
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)
XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych
SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm
XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra