CVE-2023-27480

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.7 XWiki Platform versions prior to 14.10-rc-1

Description The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions, any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This issue can be exploited by creating a forged XAR file with a package.xml content that includes an ENTITY referencing a file on the server, such as file:///etc/passwd, and then uploading it to a wiki page and triggering the import using a specific URL, for example, http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar.

Recommendations For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.7, upgrade to version 14.4.7 or later. For versions prior to 14.10-rc-1, upgrade to version 14.10-rc-1 or later. As a temporary workaround for users unable to upgrade, apply the patch e3527b98fd manually to the XarPackage java class.