XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the `Main.SolrSpaceFacet` page.
An attacker creates a document with a properly crafted space title that contains malicious Groovy code. During title processing by the Solr search component (specifically the `Main.SolrSpaceFacet` page), the input data is interpreted and executed as Groovy code without proper validation or isolation (CWE-94, CWE-95). This results in execution of arbitrary code on the XWiki server side in the context of the entire installation.
An attacker can execute arbitrary Groovy code on the server, leading to complete breach of confidentiality, integrity, and availability of the entire XWiki installation. In practice, this means the possibility of server takeover, data leakage, and disruption of platform operations.
XWiki Platform should be updated to version 14.10.20, 15.5.4, or 15.10 RC1. As a workaround without updating, the patch should be manually applied to the `Main.SolrSpaceFacet` page according to commits published in the vendor's GitHub repository.
XWiki Platform in versions from 7.2-rc-1 to versions preceding 14.10.20, 15.5.4, and 15.10-rc-1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HXwiki
APPXwiki7.27.3 – 14.10.20 (bez)15.0 – 15.5.4 (bez)15.6 – 15.10 (bez)
Related vulnerabilities
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)
SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm
XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra