CVE-2022-41934

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.8 XWiki Platform versions prior to 14.4.3 XWiki Platform versions prior to 14.6RC1

Description The XWiki Platform is vulnerable to arbitrary code execution due to improper escaping of the macro content and parameters of the menu macro. Any user with view rights on commonly accessible documents, including the menu macro, can execute arbitrary Groovy, Python, or Velocity code in XWiki, leading to full access to the XWiki installation. The issue can be demonstrated by opening a specific API endpoint, <server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%2F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7Bmenu%7D%7D%7B%7Bcache+id%3D%22menuMacro%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%7B%7B%2Fmenu%7D%7D, where <server> is the URL of the XWiki installation. If this displays "Hello from Groovy!", the installation is vulnerable.

Recommendations For XWiki Platform versions prior to 13.10.8, apply the patch for version 13.10.8 or import a XAR archive of a patched version. For XWiki Platform versions prior to 14.4.3, update to version 14.4.3 or later. For XWiki Platform versions prior to 14.6RC1, update to version 14.6RC1 or later. As a temporary workaround, consider disabling the Menu.MenuMacro document until a patch is available.