XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.
The bug results from improper permission verification (CWE-863) and the possibility of script code injection and execution (CWE-94, CWE-96) in the context of XWiki pages. An attacker with basic access to the XWiki instance can exploit the ExtensionCode.ExtensionSheet or ExtensionCode.ExtensionAuthorsDisplayer pages to execute arbitrary code with programmer privilege level. No interaction from other users or privilege escalation beyond the vulnerability mechanism itself is required.
An attacker can execute arbitrary code on the server with the highest application privileges (programming rights), which in practice means complete takeover of the XWiki instance, access to sensitive data, modification of wiki content, and potential compromise of system integrity and availability.
XWiki Platform should be updated to version 15.10.9 or 16.3.0. As a workaround, the Extension Repository Application can be disabled if not used. It is also possible to manually apply patches from commit 8659f17d500522bf33595e402391592a35a162e8 on the ExtensionCode.ExtensionSheet and ExtensionCode.ExtensionAuthorsDisplayer pages.
XWiki Platform versions from 3.3-milestone-1 to 15.10.8 and from 16.0.0 to 16.2.x, with the Extension Repository Application installed
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HXwiki
APPXwiki3.3 – 15.10.9 (bez)16.0.0 – 16.3.0 (bez)
Related vulnerabilities
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)
XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych
SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm
XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra