XWiki Context Macro Vulnerability Allows Remote Code Execution

A vulnerability in XWiki's handling of macro parameters can lead to remote code execution. When content is edited that includes 'dangerous' macros, such as malicious script macros from users with lower rights, XWiki typically warns about potential execution. However, this warning system is incomplete, allowing attackers to conceal harmful content. The issue arises because the rights analyzers do not account for non-lowercase parameters and fail to analyze most macro parameters that can contain XWiki syntax, including titles of information boxes. The 'source' parameters of the content and context macros are also not properly analyzed, despite the potential for arbitrary XWiki syntax. Exploitation could involve adding malicious script macros, like Groovy or Python, to a page, which would be executed by a user with programming rights,

Impact

Successful exploitation allows remote code execution on the server where XWiki is hosted.

Reproduction

To reproduce this vulnerability, create a page as a user without script rights and include a context macro with a source parameter that contains a script reference, such as a Velocity script. When the page is edited by an admin, the script executes without any warning. This issue also occurs with the content macro, where non-lowercase parameters are ignored, allowing similar exploitation.

Remediation

Users can update to XWiki versions 16.4.7, 16.10.3, or 17.0.0 to address this vulnerability.