XWiki Notification Email Renderer Class Admin Right Granting Vulnerability

A vulnerability exists in XWiki versions prior to 15.10.16, 16.0.0-rc-1 through 16.4.7, and 16.5.0-rc-1 through 16.10.2. When a user without script rights creates a document containing an 'XWiki.Notifications.Code.NotificationEmailRendererClass' object, and an admin later edits and saves that document, the email templates from this object are applied to notifications. Although these templates can include Velocity code, a built-in generic analyzer alerts admins before they edit such code, preventing any execution of malicious scripts. The primary consequence of this vulnerability is the potential to misuse the email templates for spamming, such as sending phishing links to other users or obscuring notifications about other security incidents.

Impact

Exploitation of this vulnerability could lead to unauthorized email template modifications, allowing for the dissemination of misleading or spam content to users. Additionally, it could interfere with the visibility of important security notifications.

Reproduction

To reproduce this vulnerability, first, create a document as a user without script rights and include an 'XWiki.Notifications.Code.NotificationEmailRendererClass' object without any Velocity code in the properties. Then, have an admin user edit and save the document. The absence of a warning during this process, despite the potential for email templates to be misused, demonstrates the vulnerability.

Remediation

Users can upgrade to XWiki versions 15.10.16, 16.4.7, or 16.10.2, where this vulnerability has been patched. For those using versions 15.9-rc-1, it is advisable to exercise caution when editing documents created by users with script rights.