XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
The vulnerability results from improper access control (CWE-862) and code injection and evaluation capabilities (CWE-95, CWE-94). A user with edit rights can define specially crafted instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` classes on any wiki page, including their own profile. The platform processes these objects without proper permission verification and isolation, leading to embedded code execution in the server context.
An attacker can take full control of the XWiki installation, gaining access to all data, modifying wiki content, and causing service unavailability — resulting in a complete breach of system confidentiality, integrity, and availability.
XWiki Platform should be updated to version 14.10.21, 15.5.5, or 15.10.2, in which the vulnerability has been removed. Patches are available in the XWiki project GitHub repository.
XWiki Platform in all versions before 14.10.21, 15.5.5, and 15.10.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HXwiki
APPXwiki9.2 – 14.10.21 (bez)15.0 – 15.5.5 (bez)15.6 – 15.10.2 (bez)
Related vulnerabilities
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)
SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm
XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra