Thomas Mortagne

**Name of the Vulnerable Software and Affected Versions** XWiki versions 2.17.1 through 2.18.1 **Description** XWiki OpenID Connect (OIDC) contains tools for manipulating the OpenID Connect protocol. Individuals with VIEW access to a user profile can generate a token for that user in versions prior to 2.18.2. If the XWiki instance permits token authentication, this allows authentication as any user, as user profiles are often viewable by other registered users. **Recommendations** Upgrade to version 2.18.2. Disable token access.

**Name of the Vulnerable Software and Affected Versions** xWiki versions prior to 16.10.6 xWiki versions prior to 17.3.0-rc-1 **Description** The application allows execution of arbitrary SQL queries in Oracle databases using functions like `DBMS XMLGEN` or `DBMS XMLQUERY`. The XWiki#searchDocuments API does not sanitize queries, and Hibernate allows the use of native functions within HQL queries. **Recommendations** Upgrade to xWiki version 16.10.6 or later. Upgrade to xWiki version 17.3.0-rc-1 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki versions 1.6-milestone-1 through 15.10.16 XWiki versions prior to 16.4.6 XWiki versions prior to 16.10.1 **Description** The issue allows a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to obtain confidential information such as password hashes from the database, as well as execute UPDATE/INSERT/DELETE queries. **Recommendations** For versions 1.6-milestone-1 through 15.10.16, update to version 15.10.16 or later. For versions prior to 16.4.6, update to version 16.4.6 or later. For versions prior to 16.10.1, update to version 16.10.1 or later. As a temporary workaround, consider restricting the SCRIPT right to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.17 XWiki Platform versions prior to 15.5.3 XWiki Platform versions prior to 15.8-rc-1 **Description** The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The rollback action is missing a right protection, allowing a user to rollback to a previous version of the page to gain rights they don't have anymore. **Recommendations** For versions prior to 14.10.17, update to version 14.10.17 or later. For versions prior to 15.5.3, update to version 15.5.3 or later. For versions prior to 15.8-rc-1, update to version 15.8-rc-1 or later. As a temporary workaround, consider paying attention to delete old versions of documents that could allow users to gain more rights.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 3.3-milestone-2 through 14.10.3 XWiki Platform versions prior to 15.0-rc-1 **Description** The issue is related to authorization errors in the XWiki Platform, allowing a remote attacker to elevate their privileges. A user can execute actions with the rights of the author of the XWiki.ClassSheet document. This can be achieved by editing the user profile with the object editor and adding a specific object, then editing the profile with the wiki editor and adding certain syntax. The estimated number of potentially affected devices is not provided. There are no known real-world incidents where this issue was exploited. **Recommendations** For XWiki Platform versions 3.3-milestone-2 through 14.10.3, update to version 14.10.4 to resolve the issue. For XWiki Platform versions prior to 15.0-rc-1, update to version 15.0-rc-1 to resolve the issue. As a temporary workaround, consider restricting access to the `DocumentSheetBinding` object and the `groovy` syntax in the wiki editor to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 14.4.7 XWiki versions prior to 14.10 **Description** The Document script API returns directly a DocumentAuthors, allowing to set any authors to the document. This can allow subsequent executions of scripts since this author is used for checking rights. An example of such an attack involves setting the content author to 'xwiki:XWiki.superadmin' using the `velocity` template engine and the `setContentAuthor` method. **Recommendations** For versions prior to 14.4.7, update to version 14.4.7 or later to patch the issue. For versions prior to 14.10, update to version 14.10 or later to patch the issue. As a temporary workaround, consider restricting the use of the Document script API until a patch is available. Avoid using the `authors` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 11.6-rc-1 through 14.8 XWiki Platform versions 14.4.0 through 14.4.5 XWiki Platform versions 13.10.0 through 13.10.9 **Description** The XWiki Platform is a generic wiki platform where comments are supposed to be executed with the right of superadmin but in restricted mode. However, the async macro does not take into account the restricted mode, allowing any user with comment right to use the async macro to make it execute any wiki content with the right of superadmin. **Recommendations** For XWiki Platform versions 11.6-rc-1 through 14.8, update to version 14.9. For XWiki Platform versions 14.4.0 through 14.4.5, update to version 14.4.6. For XWiki Platform versions 13.10.0 through 13.10.9, update to version 13.10.10. As a temporary workaround, consider applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 6.3-rc-1 through 13.10.9 XWiki Platform versions 6.2.4 through 14.4.5 XWiki Platform versions 14.4.6 is not affected, but versions prior to 14.4.6 are **Description** The issue allows injecting arbitrary wiki syntax, including Groovy, Python, and Velocity script macros, via the `newThemeName` request parameter in combination with additional parameters `form token=1&action=create`. This can lead to the execution of malicious code on the server. For example, a request to "/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form token=1&action=create" will execute the Groovy code `println("hello from groovy!")` on the server. **Recommendations** For versions 6.3-rc-1 through 13.10.9, update to version 13.10.10 or later. For versions 6.2.4 through 14.4.5, update to version 14.4.6 or later. As a temporary workaround for all affected versions, edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 13.10.8 XWiki Platform versions prior to 14.6 **Description** The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. **Recommendations** For versions prior to 13.10.8, update to version 13.10.8 or later. For versions prior to 14.6, update to version 14.6 or later. As a temporary workaround, consider setting the right of the page Filter.WebHome and making sure only the main wiki administrators can view the application installed on the main wiki or edit the page and apply the changes described in commit fb49b4f.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform Old Core versions prior to 13.1.0.5 and 14.3-rc-1 **Description** The issue arises from missing checks for inactive users in XWiki, including the REST service, allowing a disabled user to enable themselves using a REST call. Some resources handler created by extensions are also not protected by default, enabling inactive users to perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki and is more critical for versions 11.3-rc-1 and later. **Recommendations** For versions prior to 13.1.0.5 and 14.3-rc-1, upgrade to XWiki 13.10.5 or XWiki 14.3-rc-1 to resolve the issue. As a temporary workaround is not available, upgrading XWiki is the only solution to mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform Filter UI versions 5.4.4 through 12.10.10 XWiki Platform Filter UI versions 13.0.0 through 13.4.6 XWiki Platform Filter UI versions 13.10.0 through 13.10.2 XWiki Platform Filter UI versions 14.0.0-rc-0 **Description** The issue is related to a possible cross-site scripting vector in the `Filter.FilterStreamDescriptorForm` wiki page, affecting pretty much all the form fields printed in the home page of the application. **Recommendations** For versions 5.4.4 through 12.10.10, edit the wiki page `Filter.FilterStreamDescriptorForm` according to the instructions in the GitHub Security Advisory. For versions 13.0.0 through 13.4.6, edit the wiki page `Filter.FilterStreamDescriptorForm` according to the instructions in the GitHub Security Advisory. For versions 13.10.0 through 13.10.2, edit the wiki page `Filter.FilterStreamDescriptorForm` according to the instructions in the GitHub Security Advisory. For versions 14.0.0-rc-0, edit the wiki page `Filter.FilterStreamDescriptorForm` according to the instructions in the GitHub Security Advisory.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 8.3-rc-1 through 12.10.3 XWiki Platform versions prior to 13.10.3 XWiki Platform versions prior to 14.0 **Description** The issue allows access to any file located in the classloader using the template API and a path with ".." in it. For example, `{{template name="../xwiki.hbm.xml"/}}`. The confidentiality value of this advisory is considered low, as none of the available files of the classloader in XWiki Standard contain strong confidential data. **Recommendations** For XWiki Platform versions 8.3-rc-1 through 12.10.3, upgrade to version 13.10.3 or 14.0. For XWiki Platform versions prior to 13.10.3, upgrade to version 13.10.3 or 14.0. For XWiki Platform versions prior to 14.0, upgrade to version 14.0. As a temporary workaround, consider restricting access to the template API until a patch is available. Administrators should upgrade their wiki to a patched version.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform Wiki UI Main Wiki versions 5.3-milestone-2 through 12.10.10 XWiki Platform Wiki UI Main Wiki versions 13.4.6 and earlier XWiki Platform Wiki UI Main Wiki versions 13.10.2 and earlier XWiki Platform Wiki UI Main Wiki versions 14.0-rc-1 and earlier **Description** The issue concerns a possible cross-site scripting vector in the `WikiManager.JoinWiki` wiki page related to the `requestJoin` field. **Recommendations** For versions 5.3-milestone-2 through 12.10.10, update to version 12.10.11. For versions 13.4.6 and earlier, update to version 13.4.7. For versions 13.10.2 and earlier, update to version 13.10.3. As a temporary workaround for all affected versions, edit the wiki page `WikiManager.JoinWiki` and change the line `<input type='hidden' name='requestJoin' value="$!request.requestJoin"/>` into `<input type='hidden' name='requestJoin' value="$escapetool.xml($!request.requestJoin)">`.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform Flamingo Theme UI versions prior to 12.10.11 XWiki Platform Flamingo Theme UI versions prior to 13.4.7 XWiki Platform Flamingo Theme UI versions prior to 13.10.3 XWiki Platform Flamingo Theme UI version 14.0-rc-1 and earlier **Description** A possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the `newThemeName` form field. This issue can be exploited, allowing for potential malicious activities. **Recommendations** For versions prior to 12.10.11, update to version 12.10.11 or later. For versions prior to 13.4.7, update to version 13.4.7 or later. For versions prior to 13.10.3, update to version 13.10.3 or later. For version 14.0-rc-1 and earlier, update to a version later than 14.0-rc-1. As a temporary workaround, edit the wiki page `FlamingoThemesCode.WebHomeSheet` and change the line `<input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" />` into `<input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" />`.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 11.10.11 XWiki Platform versions prior to 12.6.3 XWiki Platform versions prior to 12.8-rc-1 **Description** The `{{wikimacrocontent}}` executes the content with the rights of the wiki macro author instead of the caller of that wiki macro. This makes it possible to inject scripts through it, and they will be executed with the rights of the wiki macro, often a user with Programming rights. No such macro exists by default in XWiki Standard, but one could have been created or installed with an extension. **Recommendations** For versions prior to 11.10.11, update to version 11.10.11 or later. For versions prior to 12.6.3, update to version 12.6.3 or later. For versions prior to 12.8-rc-1, update to version 12.8-rc-1 or later. As a temporary workaround, consider disabling the affected macros until a patch is available.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 12.5 XWiki versions prior to 11.10.6 **Description** The issue allows any user with SCRIPT right (EDIT right before XWiki 7.4) to gain access to the application server Servlet context. This access contains tools that enable the instantiation of arbitrary Java objects and the invocation of methods, potentially leading to arbitrary code execution. **Recommendations** For versions prior to 12.5, update to version 12.5 or later. For versions prior to 11.10.6, update to version 11.10.6 or later. As a temporary workaround, consider giving SCRIPT right only to trusted users.