XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. In a standard XWiki installation, the maintainers are only aware of the document `Panels.PanelLayoutUpdate` that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.
The HTML escaping tool (`$escapetool.html`) used on the XWiki Platform does not sanitize the `{` character. In specific locations within XWiki documents, an attacker can inject XWiki syntax through this vulnerability, which will be processed by the wiki engine. This results in arbitrary server-side code execution without requiring an account or interaction from other users. In a standard XWiki installation, at least the `Panels.PanelLayoutUpdate` document is vulnerable, but any extension using `$escapetool.html` may be equally at risk.
An unauthenticated attacker can execute arbitrary code on the server (RCE), gaining full control over the XWiki instance, its data, and potentially the infrastructure on which it runs.
XWiki should be updated to version 14.10.19, 15.5.5, or 15.9 RC1. If an update is not immediately possible, a workaround can be applied by replacing `$escapetool.html` with `$escapetool.xml` in XWiki documents — particularly in the `Panels.PanelLayoutUpdate` document. All installed extensions using `$escapetool.html` should also be reviewed and patched.
XWiki Platform in versions from 3.0.1 to (excluding) 14.10.19, 15.5.4, and 15.10-rc-1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HXwiki
APPXwiki3.0.1 – 14.10.19 (bez)15.0 – 15.5.4 (bez)15.6 – 15.9 (bez)
Related vulnerabilities
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)
SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm
XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra