XWiki Remote Code Execution Vulnerability via Default Macro Parameters

A remote code execution vulnerability exists in XWiki versions 11.10.11 prior to 12.0, 12.6.3 prior to 12.7, 12.8-rc-1 prior to 16.4.7, 16.5.0-rc-1 prior to 16.10.3, and 17.0.0-rc-1 prior to 17.0.0. This vulnerability allows any user with edit rights on a page to execute code (Groovy, Python, Velocity) with programming rights by creating a wiki macro. The issue arises when a macro parameter permits wiki syntax; its default value is executed with the author's rights from the document where it is applied. This can be exploited by manipulating a macro, such as the 'children' macro, on a page with programming rights, like 'XWiki.ChildrenMacro', to execute arbitrary scripts.

Impact

Exploitation of this vulnerability allows for remote code execution on the XWiki server, with the executed code running under the context of the user who created or edited the macro. This could lead to unauthorized access, data manipulation, or disruption of service, depending on the nature of the executed code.

Reproduction

To reproduce this vulnerability, edit a page as a user without programming rights. Add an object of type 'XWiki.WikiMacroClass' with a macro that includes a parameter allowing wiki syntax. Set the default value of the parameter to a script, such as a Groovy command that prints a message. Once the page is saved, the 'XWiki.ChildrenMacro' page will execute the script, demonstrating that programming rights have been gained.

Remediation

Users can upgrade to XWiki versions 16.4.7, 16.10.3, or 17.0.0, where this vulnerability has been patched. Instructions for upgrading can be found in the XWiki documentation.