XWiki Component Class Programming Rights Escalation Vulnerability

A vulnerability exists in XWiki versions 15.9-rc-1 prior to 15.10.12, 16.0.0-rc-1 prior to 16.4.3, and 16.5.0-rc-1 prior to 16.8.0-rc-1. When a user with programming rights edits a document containing an 'XWiki.ComponentClass' object, which was previously edited by a user without programming rights, the system fails to warn that programming rights will be granted to that object. This oversight allows an attacker, who can edit at least one page, to create a malicious object and potentially gain programming rights on the wiki by having an admin user edit the document.

Impact

Exploitation of this vulnerability allows for unauthorized escalation of programming rights, enabling the execution of arbitrary Groovy code, which could lead to unrestricted access to the XWiki instance.

Reproduction

To reproduce this vulnerability, a user without programming rights should add an 'XWiki.ComponentClass' object to a page. Once saved, the page can be edited by a user with programming rights. If no warning is displayed about granting rights to the component, the XWiki installation is vulnerable. This vulnerability can also be exploited by creating a document with a 'groovy' macro after the 'XWiki.ComponentClass' object has been added and the page has been edited by a user with programming rights.

Remediation

Users can update to XWiki versions 15.10.12, 16.4.3, or 16.8.0-rc-1 to address this vulnerability.