CVE-2022-29253

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 8.3-rc-1 through 12.10.3 XWiki Platform versions prior to 13.10.3 XWiki Platform versions prior to 14.0

Description The issue allows access to any file located in the classloader using the template API and a path with ".." in it. For example, {{template name="../xwiki.hbm.xml"/}}. The confidentiality value of this advisory is considered low, as none of the available files of the classloader in XWiki Standard contain strong confidential data.

Recommendations For XWiki Platform versions 8.3-rc-1 through 12.10.3, upgrade to version 13.10.3 or 14.0. For XWiki Platform versions prior to 13.10.3, upgrade to version 13.10.3 or 14.0. For XWiki Platform versions prior to 14.0, upgrade to version 14.0. As a temporary workaround, consider restricting access to the template API until a patch is available. Administrators should upgrade their wiki to a patched version.