XWiki Blind SQL Injection Vulnerability in HQL Execution Context

A blind SQL injection vulnerability has been identified in XWiki, a generic wiki platform, affecting versions from 1.6-milestone-1 prior to 15.10.16, as well as 16.4.6 and 16.10.1. The vulnerability allows users with SCRIPT rights to escape the HQL execution context and execute arbitrary SQL statements on the database backend. Depending on the database used, an attacker could access confidential information like password hashes or execute UPDATE, INSERT, or DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6, and 15.10.16.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can execute arbitrary SQL commands on the database. This could lead to unauthorized access to confidential information, such as password hashes, and the ability to modify or delete data in the database.

Reproduction

The vulnerability can be reproduced in a default installation of XWiki Standard Flavor, including the official Docker containers. A user with SCRIPT rights can execute a short form HQL query that escapes the HQL execution context. For example, a query can be crafted to union select data from a database table, such as the 'xwikistrings' table in a MySQL or MariaDB database, which contains sensitive information including password hashes.

Remediation

Users are advised to upgrade to XWiki versions 16.10.1, 16.4.6, or 15.10.16.