XWiki Commons Libraries Vulnerability Allows Arbitrary Code Execution in XWiki

CVSScvssV3_1: 10

XWiki Commons libraries are commonly used across many XWiki projects to provide shared functionality. However, a vulnerability has been discovered that allows arbitrary code execution in XWiki installations.

The vulnerability lies in macros used for notification preferences that failed to properly escape user input. This allowed code provided in the user’s profile to be executed with the privileges of XWiki. An attacker could simply provide malicious code in their profile that would then execute whenever the vulnerable macros were used.

As the macros are included by default, this impacts all typical XWiki installations. An attacker could use this to completely compromise the server and take over the XWiki site.

XWiki has released patches to fix the issue in versions 13.10.11, 14.4.7 and 14.10. All XWiki users are recommended to upgrade immediately to patch this vulnerability. Administrators should also carefully review any custom macros or plugins for similar issues.

It is also advisable for users to be cautious about what code or content they include in their profiles until the vulnerability is patched on their server. While upgrades are the only true fix, limiting profile content can help reduce risks in the interim.