XWiki Privilege Escalation Vulnerability Through Link Refactoring

A vulnerability in XWiki allows for privilege escalation and unauthorized script execution through improper handling of link refactoring. This issue affects XWiki versions 8.2, 7.4.5 prior to 17.1.0-rc-1, 16.10.4, and 16.4.7. The vulnerability arises when a link in a page is renamed or moved, leading to the execution of scripts in xobjects that should not have been executed. The flaw is rooted in the fact that during a refactoring operation, the document is saved with the current user's metadata author, which can inadvertently grant script rights to users who should not have them.

Impact

Exploitation of this vulnerability could allow a user to gain script rights and execute scripts in xobjects, potentially leading to unauthorized actions or changes within the XWiki environment.

Reproduction

To reproduce this vulnerability, create two users: one without script rights and another with script rights. The user with script rights should rename a page that is linked to an xobject containing a velocity script. After the renaming, the xobject will execute the script, demonstrating the privilege escalation.

Remediation

Users are advised to upgrade to XWiki versions 17.1.0-rc-1, 16.10.4, or 16.4.7. If an immediate upgrade is not possible, the vulnerable 'xwiki-platform-refactoring-default' module can be patched manually by applying the relevant commit and rebuilding the module.