XWiki XClass Definition Vulnerability Allows Code Execution via Malicious Properties

A vulnerability exists in XWiki versions prior to 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1. It allows an attacker without script or programming rights to execute malicious code by creating an XClass definition that includes dangerous properties, such as database list queries or custom display scripts. This code is executed under the rights of the user editing the document, without any prior warning. The issue arises because, before XWiki version 15.9, there were no alerts about the risks of editing documents with potentially harmful properties.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution with the privileges of the user who edits the affected document.

Reproduction

To reproduce this vulnerability, first, create an XClass definition as a user without script rights. Include properties that could execute code, such as database list queries with raw SQL or custom display scripts. Then, have a user with programming rights edit the XClass definition. The absence of a warning about the dangerous properties indicates the vulnerability.

Remediation

Users can upgrade to XWiki versions 15.10.16, 16.4.7, or 16.10.2, where this vulnerability has been patched. Instructions for updating XWiki can be found in the XWiki documentation.