CVE-2024-55663

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 6.3-milestone-2 through 13.10.4 XWiki Platform versions 11.10.6 through 14.3-rc-1 are not needed as they are included in the range above, so the final version is: XWiki Platform versions 6.3-milestone-2 through 13.10.4 and 14.3-rc-1 is not needed, the correct one is XWiki Platform versions 6.3-milestone-2 through 13.10.4

Description The XWiki Platform is affected by an issue in the getdocument.vm template, where the ordering of returned documents is defined from an unsanitized request parameter (request.sort), allowing any user to inject HQL. Depending on the used database backend, an attacker may be able to obtain confidential information, such as password hashes, from the database, and also execute UPDATE/INSERT/DELETE queries.

Recommendations For XWiki Platform versions 6.3-milestone-2 through 13.10.4, upgrade to version 13.10.5 or later. For versions prior to 14.3-rc-1, upgrade to version 14.3-rc-1 or later. As a temporary workaround, consider disabling the getdocument.vm template until a patch is available. Restrict access to the getdocument.vm template to minimize the risk of exploitation. Avoid using the request.sort parameter in the affected template until the issue is resolved.