Caleb James Delisle

**Name of the Vulnerable Software and Affected Versions** XWiki versions 2.3 through 12.6.6 XWiki versions 12.7.0 through 12.10.2 XWiki versions 13.0.0 through 13.0.0 before 13.0RC1 **Description** The velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki, and it also requires finding an XWiki API which returns a File. **Recommendations** For versions 2.3 through 12.6.6, upgrade to version 12.6.7 or later. For versions 12.7.0 through 12.10.2, upgrade to version 12.10.3 or later. For versions 13.0.0 through 13.0.0 before 13.0RC1, upgrade to version 13.0RC1 or later. As a general mitigation measure, be careful when giving Script rights in XWiki.