Simon Urli

**Name of the Vulnerable Software and Affected Versions** XWiki versions 7.4.5 through 16.4.7 XWiki versions 8.2 through 16.10.4 XWiki versions 17.1.0-rc-1 and earlier **Description** The issue allows pages to gain script or programming rights when they contain a link and the target of the link is renamed or moved, potentially leading to the execution of scripts contained in xobjects that should not have been executed. **Recommendations** For XWiki versions 7.4.5 through 16.4.7, update to version 16.4.7 or later. For XWiki versions 8.2 through 16.10.4, update to version 16.10.4 or later. For XWiki versions 17.1.0-rc-1 and earlier, update to version 17.1.0-rc-1 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 5.0-rc-1 through 14.10.18 XWiki Platform versions 14.10.19 through 15.5.3 XWiki Platform versions 15.5.4 through 15.9-rc-1 **Description** The issue allows access to the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. An attacker with rights to edit a user's page can exploit this to access the hash password of a user. This vulnerability is normally prevented on user profiles by default, except for users with Admin rights. It also impacts extensions that use passwords stored in xobjects, depending on the rights of those pages. There is no way to be 100% sure if this vulnerability has been exploited, as an attacker with enough privileges could have deleted the revision where the xobject was deleted after rolling back the deletion. **Recommendations** For XWiki Platform versions 5.0-rc-1 through 14.10.18, upgrade to version 14.10.19 or later. For XWiki Platform versions 14.10.19 through 15.5.3, upgrade to version 15.5.4 or later. For XWiki Platform versions 15.5.4 through 15.9-rc-1, upgrade to version 15.9-rc-1 or later. As a temporary workaround, consider ensuring that user pages are properly protected by not allowing edit rights to other users than Admin and the owner of the profile. Change passwords on pages with a user password xobject that have in their history a revision where the object has been deleted.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.8 XWiki Platform versions prior to 15.2 **Description** The issue is related to insufficient authentication checks for executed requests in the XWiki Platform, allowing cross-site request forgery. This can lead to remote code execution through script macros when a user with programming rights interacts with the platform, impacting the integrity, availability, and confidentiality of the XWiki installation. For regular cookie-based authentication, the issue is mitigated by SameSite cookie restrictions, but these are not enabled by default in Firefox and Safari as of March 2023. **Recommendations** For XWiki Platform versions prior to 14.10.8, update to version 14.10.8 or later to require a CSRF token header for certain request types susceptible to CSRF attacks. For XWiki Platform versions prior to 15.2, update to version 15.2 or later to require a CSRF token header for certain request types susceptible to CSRF attacks. As a temporary workaround, consider checking for the `Origin` header in a reverse proxy to protect the REST endpoint from CSRF attacks.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 3.4-milestone-1 through 14.10.4 XWiki Platform versions 15.0 through 15.1-rc-1 (excluding 15.1-rc-1) **Description** The XWiki Platform is vulnerable to a cross-site scripting (XSS) attack, allowing users to inject JavaScript into a page by forging a URL with a payload. This can be exploited using the deletespace template, for example, by using a URL such as "xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain)". The vulnerability exists since XWiki 3.4-milestone-1. **Recommendations** For XWiki Platform versions 3.4-milestone-1 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.0 through 15.1-rc-1 (excluding 15.1-rc-1), update to version 15.1-rc-1 or later. As a temporary workaround, consider editing the template deletespace.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 6.2-milestone-1 through 14.10.4 XWiki Platform versions 15.1-rc-1 and earlier **Description** The issue allows users to forge a URL with a payload that injects Javascript into the page, enabling a cross-site scripting (XSS) attack. This can be exploited using the DeleteApplication page. For example, a URL such as "xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain)" can be used. The vulnerability exists due to the lack of measures to neutralize alternative XSS syntax. **Recommendations** For XWiki Platform versions 6.2-milestone-1 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.1-rc-1 and earlier, update to version 15.1 or later. As a temporary workaround, consider editing the page AppWithinMinutes.DeleteApplication to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.1 XWiki Platform versions prior to 15.0-rc-1 **Description** The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to break many translations coming from wiki pages by creating a corrupted document containing a translation object, leading to a broken page. **Recommendations** For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 14.10.1, upgrade to version 14.10.1 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider fixing any way to create a document that fails to load, until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** xwiki-platform-oldcore versions prior to 13.10.7 xwiki-platform-oldcore versions prior to 14.4.2 xwiki-platform-oldcore versions prior to 14.5RC1 **Description** The issue is related to missing authorization in the `setDisabledStatus` method of the `User` class, allowing users with only Script rights to enable or disable other users. This operation should be restricted to users with admin rights. **Recommendations** For versions prior to 13.10.7, update to version 13.10.7 or later. For versions prior to 14.4.2, update to version 14.4.2 or later. For versions prior to 14.5RC1, update to version 14.5RC1 or later. As a temporary workaround, consider restricting Script rights to trusted users until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 12.10.11 XWiki Platform versions prior to 13.4.6 XWiki Platform versions prior to 13.10-rc-1 **Description** The issue allows simple users to create global SSX/JSX without specific rights. In theory, only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. However, a bug enables anyone with edit rights to create those. **Recommendations** For versions prior to 12.10.11, upgrade to version 12.10.11 or later. For versions prior to 13.4.6, upgrade to version 13.4.6 or later. For versions prior to 13.10-rc-1, upgrade to version 13.10-rc-1 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 12.10.11 XWiki Platform versions prior to 13.4.7 XWiki Platform versions prior to 13.10.3 XWiki Platform versions prior to 14.0-rc-1 **Description** The issue is related to a cross-site scripting (XSS) vector in the `registerinline.vm` template, specifically with the `xredirect` hidden field. This template is used when the wiki is open to registration for anyone and closed to view for Guest users, or when the XWiki.Registration page is forbidden in View for guest users. Administrators can obtain the second condition by checking the "Prevent unregistered users from viewing pages, regardless of the page rights" box in the administration rights. **Recommendations** For versions prior to 12.10.11, apply a patch in the `registerinline.vm` template to check the value of the `xredirect` field. For versions prior to 13.4.7, apply a patch in the `registerinline.vm` template to check the value of the `xredirect` field. For versions prior to 13.10.3, apply a patch in the `registerinline.vm` template to check the value of the `xredirect` field. For versions prior to 14.0-rc-1, apply a patch in the `registerinline.vm` template to check the value of the `xredirect` field. As a temporary workaround, ensure "Prevent unregistered users from viewing pages, regardless of the page rights" is not checked in the rights and apply a better right scheme using groups and rights on spaces.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 12.10.5 XWiki versions prior to 13.2RC1 **Description** It is possible to determine if a user has an account in a wiki related to an email address and which username(s) is tied to that email by forging a request to the "Forgot username" page. This is due to the lack of a CSRF check on this page, making it easy to perform multiple requests. **Recommendations** For versions prior to 12.10.5, update to version 12.10.5 or later. For versions prior to 13.2RC1, update to version 13.2RC1 or later. As a temporary workaround for versions below 13.x, edit the ForgotUsername page to use the provided code. For versions after 13.x, consider editing the forgotusername.vm file manually, but upgrading the version is recommended.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 13.1RC1 through 13.1 **Description** The reset password form reveals the email address of users just by giving their username. The problem has been patched on XWiki 13.2RC1. **Recommendations** For versions 13.1RC1 through 13.1, manually modify the `resetpasswordinline.vm` to perform the changes made to mitigate the vulnerability. Update to XWiki 13.2RC1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 12.6.8 XWiki Platform versions prior to 12.10.4 XWiki Platform versions prior to 13.0 **Description** A vulnerability exists in the XWiki Platform where the script service method used to reset the authentication failures record can be executed by any user with Script rights, without requiring Programming rights. This allows an attacker with script rights to potentially perform a brute force attack by resetting the authentication failure record, effectively deactivating the mechanism meant to mitigate such attacks. **Recommendations** For versions prior to 12.6.8, upgrade to version 12.6.8 or later. For versions prior to 12.10.4, upgrade to version 12.10.4 or later. For versions prior to 13.0, upgrade to version 13.0 or later. As a temporary workaround, consider restricting Script right access to trusted users to minimize the risk of exploitation. Monitor logs for signs of brute force attacks on authentication, as authentication failures are logged.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 12.9RC1 **Description** The XWiki Platform, specifically with the Ratings API installed, exposes an API that allows performing SQL requests without properly escaping the `from` and `where` search arguments. This could lead to SQL script injection for users with Script rights on XWiki. **Recommendations** For versions prior to 12.9RC1, upgrade to XWiki 12.9RC1 to resolve the issue. As a temporary workaround, consider uninstalling the Ratings API in XWiki from the Extension Manager until a patch is applied.