Clément Aubin

**Name of the Vulnerable Software and Affected Versions** XWiki OIDC versions prior to 1.29.1 **Description** The issue allows an attacker to bypass XWiki authentication by specifying their own OpenID provider through request parameters, such as `oidc.endpoint.*`, or by using an XWiki-based OpenID provider with `oidc.xwikiprovider`. Additionally, an attacker can provide a specific group mapping through `oidc.groups.mapping` to automatically become part of the XWikiAdminGroup. **Recommendations** For versions prior to 1.29.1, upgrade to version 1.29.1 to resolve the issue. There is no workaround, and an upgrade of the authenticator is required.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 6.3-milestone-2 through 13.10.4 XWiki Platform versions 11.10.6 through 14.3-rc-1 are not needed as they are included in the range above, so the final version is: XWiki Platform versions 6.3-milestone-2 through 13.10.4 and 14.3-rc-1 is not needed, the correct one is XWiki Platform versions 6.3-milestone-2 through 13.10.4 **Description** The XWiki Platform is affected by an issue in the `getdocument.vm` template, where the ordering of returned documents is defined from an unsanitized request parameter (`request.sort`), allowing any user to inject HQL. Depending on the used database backend, an attacker may be able to obtain confidential information, such as password hashes, from the database, and also execute UPDATE/INSERT/DELETE queries. **Recommendations** For XWiki Platform versions 6.3-milestone-2 through 13.10.4, upgrade to version 13.10.5 or later. For versions prior to 14.3-rc-1, upgrade to version 14.3-rc-1 or later. As a temporary workaround, consider disabling the `getdocument.vm` template until a patch is available. Restrict access to the `getdocument.vm` template to minimize the risk of exploitation. Avoid using the `request.sort` parameter in the affected template until the issue is resolved.