XWiki App Within Minutes Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in XWiki's App Within Minutes applications. This issue affects users with edit rights, allowing them to execute arbitrary code by manipulating custom display properties. The vulnerability arises from improper handling of author permissions in the application editor.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where XWiki is hosted.

Reproduction

To reproduce this vulnerability, log in as a user with edit rights but no scripting permissions. Create a document named 'EvilDisplayer.WebHome' and edit it using the class editor. Add a property of type 'Computed Field' with a custom display that includes a Groovy script printing a message. After saving, navigate to an application that uses App Within Minutes, edit the application, and use the inspector to find a hidden input. Change its value to reference the document created earlier and confirm the change. The Groovy script will execute, demonstrating successful exploitation.

Remediation

Users can update to XWiki versions 17.0.0, 16.4.7, or 16.10.3, where this vulnerability has been fixed. Additionally, restricting edit rights on App Within Minutes applications to trusted users can mitigate the risk.