CVE-2022-24898

Name of the Vulnerable Software and Affected Versions xwiki-commons-xml versions 2.7 through 12.10.9 xwiki-commons-xml versions 13.0.0 through 13.4.3 xwiki-commons-xml versions 13.8-rc-0 and earlier

Description The issue allows a script to access any file accessible to the user running the XWiki application server through XML External Entity Injection via the XML script service. This can be achieved by exploiting the XML script service, for example, by using a velocity script that sets an xxe payload variable with a malicious XML payload, which includes an entity that references a local file, such as file:///etc/passwd. The script then parses this payload using the xml.parse() function and serializes the result using xml.serialize(). The estimated number of potentially affected devices is not provided.

Recommendations For xwiki-commons-xml versions 2.7 through 12.10.9, upgrade to version 12.10.10 or later. For xwiki-commons-xml versions 13.0.0 through 13.4.3, upgrade to version 13.4.4 or later. For xwiki-commons-xml versions 13.8-rc-0 and earlier, upgrade to version 13.8-rc-1 or later. As a general mitigation measure, be careful when giving Script rights to minimize the risk of exploitation.