John Kwak

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 15.10.11 XWiki versions prior to 16.4.1 XWiki versions prior to 16.5.0RC1 **Description** XWiki Platform is susceptible to a remote code execution (RCE) vulnerability. An unauthenticated attacker can execute arbitrary code by sending a specially crafted request to the `SolrSearch` endpoint. The vulnerability stems from improper handling of user-supplied input within the `SolrSearchMacros` component, specifically failing to sanitize RSS feed input. This allows the injection and execution of Groovy code. The RondoDox botnet has been observed actively exploiting this vulnerability to deploy cryptocurrency miners and establish remote shells. Numerous reports indicate widespread exploitation, with over 1,200 exposed instances identified. **API Endpoint:** `/xwiki/bin/get/Main/SolrSearch` **Vulnerable Parameter:** `text` **Recommendations** XWiki versions prior to 15.10.11: Upgrade to version 15.10.11 or later. XWiki versions prior to 16.4.1: Upgrade to version 16.4.1 or later. XWiki versions prior to 16.5.0RC1: Upgrade to version 16.5.0RC1 or later. As a workaround, edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`.