XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the width parameter in the column macro allows remote code execution for any user who can edit any page or who can access the CKEditor converter. The width parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution when the macro has been installed by a user with programming right, or it at least allows executing Velocity code as the wiki admin. Version 1.26.5 contains a patch for the issue.
The width parameter in the column macro is embedded in XWiki syntax without proper escaping, which allows XWiki syntax injection. An attacker can inject arbitrary XWiki code, and as a result — if the extension is installed by a user with programming rights — achieve full remote code execution. In a less privileged scenario, execution of Velocity code with wiki administrator privileges is possible. The vulnerability is accessible to any user who can edit any page or use the CKEditor converter.
An attacker can achieve remote code execution (RCE) on the server side, or at least execute Velocity code with administrator privileges, which in practice means full takeover of the XWiki instance.
XWiki Pro Macros should be updated to version 1.26.5, which contains an official patch for this vulnerability.
XWiki Pro Macros in versions from 1.0 to earlier than 1.26.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HXwiki Pro Macros
APPXwiki1.0 – 1.26.5 (bez)
Related vulnerabilities
RCE przez XWiki syntax injection w parametrze classes makra Panel
RCE przez brak escapowania w makrze Viewpdf w XWiki Pro Macros
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Pr...
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Pr...
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch