XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the classes parameter in the panel macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 contains a patch for the issue.
The classes parameter of the Panel macro is inserted into XWiki syntax without proper escaping. An attacker can provide a specially crafted value for this parameter, which will be interpreted as XWiki syntax injection. As a result, the XWiki rendering engine will process the embedded payload as code, leading directly to RCE on the server. It is sufficient that a user has the ability to edit any page in the instance — administrative privileges are not required.
An attacker can gain full control over the XWiki instance, including reading and modifying all data, executing arbitrary system commands, and potentially compromising the entire server environment (violation of confidentiality, integrity, and availability).
Update XWiki Pro Macros to version 1.26.5, which contains an official patch eliminating the missing escaping of the classes parameter in the Panel macro. If immediate update is not possible, consider restricting page editing permissions to trusted users until the patch is deployed.
XWiki Pro Macros (xwiki-pro-macros) in versions from 1.0 to earlier than 1.26.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HXwiki Pro Macros
APPXwiki1.0 – 1.26.5 (bez)
Related vulnerabilities
XWiki Pro Macros: RCE przez brak escapowania parametru width w makro column
RCE przez brak escapowania w makrze Viewpdf w XWiki Pro Macros
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Pr...
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Pr...
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch