Michael Hamann

Name of the Vulnerable Software and Affected Versions: XWiki Remote Macros versions 1.0 through 1.26.5 Description: XWiki Remote Macros provides XWiki rendering macros used for migrating content from Confluence. A missing escaping mechanism in the `ac:type` parameter within the `ConfluenceLayoutSection` macro allows for remote code execution. The `classes` parameter is used without proper escaping in XWiki syntax, enabling XWiki syntax injection, which also leads to remote code execution. Recommendations: Update to version 1.26.5 or later.

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 14.4.2 through 16.4.7 XWiki Platform versions 16.5.0-rc-1 through 16.10.6 XWiki Platform versions 17.0.0-rc-1 through 17.4.0-rc-1 Description: The PDF export jobs store sensitive cookies unencrypted in job statuses. This includes the encrypted username and password, which effectively exposes the plain text password if the encryption key is compromised. The encryption key is stored in the same data directory as the job status, making it accessible. The vulnerability exists because the job status includes cookies from the HTTP request that triggered the export. Recommendations: Upgrade to XWiki Platform version 16.4.8 or later. Upgrade to XWiki Platform version 16.10.7 or later. Upgrade to XWiki Platform version 17.4.0-rc-1 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 4.2-milestone-3 through 16.4.7 XWiki Platform versions 16.5.0-rc-1 through 16.10.5 XWiki Platform versions 17.0.0-rc-1 through 17.2.2 **Description** The platform contains reflected cross-site scripting (XSS) vulnerabilities in two templates. An attacker can execute malicious JavaScript code in the context of a victim's session by getting the victim to visit a crafted URL. This allows the attacker to perform actions using the victim's permissions. The issue is exploitable through URLs such as `/xwiki/bin/view/Main/?xpage=job status json&jobId=asdf&translationPrefix=<img src=1 onerror=alert(document.domain)>` and `/xwiki/bin/view/Main/?xpage=distribution&extensionId=%3Cimg src=x onerror=alert(document.domain)%3E&extensionVersionConstraint=%3Cimg src=x onerror=alert(document.domain)%3E`. **Recommendations** XWiki Platform versions prior to 16.4.8 XWiki Platform versions prior to 16.10.6 XWiki Platform versions prior to 17.3.0-rc-1 Manually patch the WAR file with the changes included in the original patch.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.3 XWiki versions prior to 17.0.0 **Description** The issue allows any user with edit rights on a page to execute code, including Groovy, Python, and Velocity, with programming rights by defining a wiki macro. This can grant full access to the whole XWiki installation. The problem arises when a wiki macro parameter allows wiki syntax, and its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro, such as the children macro, allowing arbitrary script macros. **Recommendations** For versions prior to 16.4.7, update to version 16.4.7 or later to enforce proper rights management. For versions prior to 16.10.3, update to version 16.10.3 or later to enforce proper rights management. For versions prior to 17.0.0, update to version 17.0.0 or later to enforce proper rights management.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 4.3-milestone-1 through 16.10.8 XWiki Platform versions 17.4.0 through 17.4.1 XWiki Platform versions 17.5.0 **Description** The XWiki Platform, a generic wiki platform, contains a flaw in the REST search URL. The `orderField` parameter is susceptible to HQL injection. The value provided for this parameter is included twice in the query, requiring careful manipulation to exploit. Specifically, enclosing the query segment between the two instances of the field in single quotes can bypass the constraints, but the query must remain valid with the parameter appearing twice. This issue affects versions starting from 4.3-milestone-1 and is addressed in versions 16.10.9, 17.4.2, and 17.5.0. The API endpoint involved is the REST search URL. The vulnerable parameter is `orderField`. **Recommendations** Update to XWiki Platform version 16.10.9 or later. Update to XWiki Platform version 17.4.2 or later. Update to XWiki Platform version 17.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki Contrib's Syntax Markdown versions 8.2 through 8.8 **Description** The issue allows any user to embed Javascript code using Markdown syntax, which can be executed on the browser of other users visiting the document or comment containing it. This compromises the confidentiality, integrity, and availability of the entire XWiki installation, especially if the code is executed by a user with administrative or programming rights. **Recommendations** For versions 8.2 through 8.8, update to version 8.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.3 XWiki versions prior to 17.0.0 **Description** XWiki is a generic wiki platform that warns about the execution of "dangerous" macros like malicious script macros authored by a user with fewer rights since XWiki 15.9RC1. However, the required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. The existing analyzers do not consider non-lowercase parameters, and most macro parameters that can contain XWiki syntax were not analyzed. This could allow a malicious user to add malicious script macros, including Groovy or Python macros, to a page that are then executed after another user with programming rights edits the page, thus allowing remote code execution. **Recommendations** For versions prior to 16.4.7, update to version 16.4.7 or later. For versions prior to 16.10.3, update to version 16.10.3 or later. For versions prior to 17.0.0, update to version 17.0.0 or later. As a temporary workaround, consider being careful when editing content authored by untrusted users.

**Name of the Vulnerable Software and Affected Versions** XWiki versions 16.10.0 through 16.10.3 **Description** The issue is related to a bug in the implementation of required rights in XWiki, allowing any user with edit right on a document to set programming right as required right. This could lead to remote code execution if a user with programming right edits the document. The impact is considered low, as the vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights. However, gaining programming right could have a high impact. **Recommendations** For XWiki versions 16.10.0 through 16.10.3, upgrade to XWiki 16.10.4 or 17.1.0RC1 to resolve the issue. As a temporary workaround, consider restricting access to documents with required rights enforced, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 9.8-rc-1 through 16.4.6 XWiki Platform versions 16.5.0-rc-1 through 16.10.4 XWiki Platform versions 17.0.0-rc-1 through 17.1.0 **Description** XWiki Platform Legacy Old Core and XWiki Platform Old Core allows any user with editing rights to create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of the password property is displayed, potentially exposing password hashes of all users and other password properties to any user with an account on the wiki. **Recommendations** Update to XWiki Platform version 16.4.7 or later. Update to XWiki Platform version 16.10.5 or later. Update to XWiki Platform version 17.2.0-rc-1 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 1.1 through 16.4.6 XWiki Platform versions 16.5.0-rc-1 through 16.10.4 XWiki Platform versions 17.0.0-rc-1 through 17.1.0 **Description** XWiki Platform Legacy Old Core and XWiki Platform Old Core are affected by an issue where the XML export of a page, accessible to any user with view rights by appending `?xpage=xml` to the URL, includes `password` and `email` properties stored on a document – even if these properties are not explicitly named `password` or `email`. **Recommendations** XWiki Platform versions prior to 16.4.7 should be updated. XWiki Platform versions prior to 16.10.5 should be updated. XWiki Platform versions prior to 17.2.0-rc-1 should be updated. If the XML export functionality is not required, delete the `templates/xml.vm` file from the deployed WAR file.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 10.9 through 16.4.6 XWiki Platform versions 16.5.0-rc-1 through 16.10.2 XWiki Platform versions 17.0.0-rc-1 **Description** The issue affects XWiki, a generic wiki platform, where an attacker can access the title of every single page whose reference is known through the REST API, as long as an XClass with a page property is accessible. This is the default for an XWiki installation. The impact on confidentiality depends on the strategy for page names, with low impact if page names match the title, but potentially high impact if page names are intentionally obfuscated because the titles are sensitive. **Recommendations** For XWiki Platform versions 10.9 through 16.4.6, update to version 16.4.7. For XWiki Platform versions 16.5.0-rc-1 through 16.10.2, update to version 16.10.3. For XWiki Platform versions 17.0.0-rc-1, update to version 17.0.0.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 9.7-rc-1 through 15.10.10 XWiki Platform versions 16.4.0 through 16.4.0 XWiki Platform versions 16.5.0 and earlier **Description** XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity, and availability of the whole XWiki installation. The vulnerability has been fixed in XWiki 15.10.11, 16.4.1, and 16.5.0. **Recommendations** For XWiki Platform versions 9.7-rc-1 through 15.10.10, update to version 15.10.11 or later. For XWiki Platform versions 16.4.0, update to version 16.4.1 or later. For XWiki Platform versions 16.5.0 and earlier, update to version 16.5.0 or later. As a temporary workaround, it is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList`.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 1.2-milestone-2 through 15.10.8 XWiki Platform versions 1.2-milestone-2 through 16.2.x **Description** The issue allows any user with an account on the main wiki to run scheduling operations on subwikis. To reproduce, a user on the main wiki without any special right can view the document `Scheduler.WebHome` in a subwiki, then click on any operation (e.g., Trigger) on any job. If the operation is successful, the instance is vulnerable. **Recommendations** For XWiki Platform versions 1.2-milestone-2 through 15.10.8, update to version 15.10.9 or later. For XWiki Platform versions 1.2-milestone-2 through 16.2.x, update to version 16.3.0 or later. As a temporary workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 3.3-milestone-1 through 15.10.8 XWiki Platform versions 3.3-milestone-1 through 16.2.x **Description** XWiki Platform is a generic wiki platform. On instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This issue has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`. **Recommendations** For XWiki Platform versions 3.3-milestone-1 through 15.10.8, update to version 15.10.9 or later. For XWiki Platform versions 3.3-milestone-1 through 16.2.x, update to version 16.3.0 or later. As a temporary workaround, consider disabling the `Extension Repository Application` on instances that do not use it. Restrict access to the `ExtensionCode.ExtensionSheet` and `ExtensionCode.ExtensionAuthorsDisplayer` pages to minimize the risk of exploitation. Manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer` as an alternative solution.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 15.10.16 XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.2 **Description** The issue arises when a user without script rights creates a document containing an XWiki.Notifications.Code.NotificationDisplayerClass object. If an admin later edits and saves this document, the potentially malicious content of the object is output as raw HTML, allowing cross-site scripting (XSS) attacks. The notification displayer executes Velocity code, and while a generic analyzer warns admins about editing Velocity code, warnings for editing documents with dangerous properties were only introduced in XWiki 15.9. **Recommendations** For versions prior to 15.10.16, update to version 15.10.16 or later. For versions prior to 16.4.7, update to version 16.4.7 or later. For versions prior to 16.10.2, update to version 16.10.2 or later. As a temporary workaround, consider being cautious when editing documents with potentially malicious code, especially those containing XWiki.Notifications.Code.NotificationDisplayerClass objects, until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 15.10.16 XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.2 **Description** The issue affects XWiki, a generic wiki platform. It occurs when a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object. If an admin later edits and saves that document, the email templates in this object will be used for notifications. Although no malicious code can be executed due to the existing generic analyzer warning admins before editing Velocity code, the main impact could be to send spam, such as phishing links to other users, or to hide notifications about other attacks. **Recommendations** For versions prior to 15.10.16, update to version 15.10.16 or later. For versions prior to 16.4.7, update to version 16.4.7 or later. For versions prior to 16.10.2, update to version 16.10.2 or later. As a temporary workaround, consider restricting access to documents with `XWiki.Notifications.Code.NotificationEmailRendererClass` objects until the issue is resolved. Avoid using the `XWiki.Notifications.Code.NotificationEmailRendererClass` object in documents until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 15.10RC1 **Description** A user without script or programming rights can trick a user with elevated rights to edit content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. **Recommendations** For versions prior to 15.10RC1, upgrade to XWiki 15.10RC1 or later to patch the vulnerability. As a temporary workaround, consider restricting the use of WYSIWYG editors for users with elevated rights until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.21 XWiki Platform versions prior to 15.5.5 XWiki Platform versions prior to 15.10.6 XWiki Platform versions prior to 16.0.0 **Description** The issue allows a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript, which requires a social engineer to trick a user into following the URL. **Recommendations** For versions prior to 14.10.21, update to version 14.10.21 or later. For versions prior to 15.5.5, update to version 15.5.5 or later. For versions prior to 15.10.6, update to version 15.10.6 or later. For versions prior to 16.0.0, update to version 16.0.0 or later. As a temporary workaround, consider restricting access to the `xwiki-server>/xwiki/bin/view/` endpoint until a patch is available. Avoid using the `test` property in the object editor until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.21 XWiki Platform versions prior to 15.5.5 XWiki Platform versions prior to 15.10.2 **Description** The issue allows any user with edit rights on any page to perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity, and availability of the whole XWiki installation. **Recommendations** For XWiki Platform versions prior to 14.10.21, upgrade to version 14.10.21 or later. For XWiki Platform versions prior to 15.5.5, upgrade to version 15.5.5 or later. For XWiki Platform versions prior to 15.10.2, upgrade to version 15.10.2 or later. As a temporary workaround, consider restricting the ability to add instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to user profiles or pages until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 15.10.8 XWiki Platform versions prior to 16.3.0RC1 **Description** The issue allows an attacker to execute JavaScript snippets on the side of another user, compromising the confidentiality, integrity, and availability of the whole XWiki installation. This can be achieved by creating a conflict when another user with more rights is currently editing a page. The estimated number of potentially affected devices is not specified. To exploit this issue, a user with admin rights needs to edit a document without saving right away. Then, as another user without any other right than edit on the specific document, change the whole content to `<script>alert('XSS')</script>`. When the admin user then saves the document, a conflict popup appears. If they select "Fix each conflict individually" and see an alert displaying "XSS", then the instance is vulnerable. **Recommendations** For XWiki Platform versions prior to 15.10.8, update to version 15.10.8 or later. For XWiki Platform versions prior to 16.3.0RC1, update to version 16.3.0RC1 or later. As a temporary workaround, consider restricting the ability to create conflicts when editing pages, until a patch is applied.