XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in version 1.0 and prior to version 1.26.5, missing escaping of the ac:type in the ConfluenceLayoutSection macro allows remote code execution for any user who can edit any page The classes parameter is used without escaping in XWiki syntax, thus allowing XWiki syntax injection which enables remote code execution. Version 1.26.5 has a fix for the issue.
In the ConfluenceLayoutSection macro, the ac:type parameter (CSS classes, 'classes' field) is inserted into XWiki syntax without proper escaping. An attacker can inject arbitrary code in XWiki syntax (XWiki syntax injection), which will be executed on the server side when the page is rendered. It is sufficient for the attacker to have the ability to edit any page in the XWiki instance – administrator privileges are not required.
An attacker can gain full control over the XWiki server: execute arbitrary code, access sensitive data, modify or delete wiki content, and potentially extend access to other systems on the network (lateral movement).
Update the XWiki Remote Macros component to version 1.26.5, which contains a patch eliminating the lack of escaping. The patch is available in the vendor's repository (commit 06e6cf3893227527d0242a11e390642178d9df05).
XWiki Remote Macros (xwiki-pro-macros) in versions from 1.0 to 1.26.4 inclusive (before version 1.26.5).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H