XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
The database search mechanism (the `Main.DatabaseSearch` page) does not safely validate user-supplied input data, which corresponds to vulnerabilities of the CWE-94 class (code injection) and CWE-95 (eval of unsafe expressions). An attacker can place a payload containing malicious code in the search field, which will be interpreted and executed by the platform engine. By default, the database search page is accessible to all users, which means that in the case of a public wiki, any unauthenticated visitor can carry out the exploit.
An attacker gains the ability to execute arbitrary code on the server side (RCE), which leads to complete takeover of the XWiki installation — violation of confidentiality, integrity and availability of all data and services.
XWiki Platform should be updated to version 14.10.20, 15.5.4 or 15.10RC1, in which the vulnerability has been patched. As a workaround, you can manually apply a patch on the `Main.DatabaseSearch` page or — if database search is not actively used — remove this page, as it is not the default XWiki search interface.
XWiki Platform in versions from 2.4-milestone-1 to (excluding) 14.10.20, 15.5.4 and 15.10-rc-1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HXwiki
APPXwiki2.4 – 14.10.20 (bez)15.0 – 15.5.4 (bez)15.6 – 15.10 (bez)
Related vulnerabilities
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)
SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm
XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra