XWiki Open Redirect Vulnerability in HTML Conversion Request Filter

An open redirect vulnerability has been identified in XWiki versions 13.5-rc-1 prior to 15.10.13, 16.0.0-rc-1 prior to 16.4.4, and 16.5.0-rc-1 prior to 16.8.0. This vulnerability allows attackers to create URLs that redirect to any site, by exploiting the HTML conversion request filter. The issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0.

Impact

Exploitation of this vulnerability allows for open redirection, where users can be sent to untrusted sites, potentially leading to phishing attacks.

Reproduction

To reproduce this vulnerability, send a request to the XWiki instance with the 'xerror' parameter set to an external URL, such as 'https://www.example.com'. This can be done by navigating to '<xwiki-host>/xwiki/bin/view/Main/' and including the 'RequiresHTMLConversion' parameter. The request will be redirected to the specified external URL, demonstrating the open redirect vulnerability.

Remediation

Users can update to XWiki versions 15.10.13, 16.4.4, or 16.8.0 to address this vulnerability. Additionally, a web application firewall could be configured to reject requests with the 'xerror' parameter, as this parameter is no longer in use.