XWiki Platform HQL Injection Vulnerability in REST Search API

A vulnerability allowing HQL injection has been identified in the XWiki Platform REST search API. This issue affects versions 4.3-milestone-1 prior to 16.10.9, 17.4.2, and 17.5.0. The vulnerability arises in the 'orderField' parameter, where injected values can manipulate the query by being added twice—once in the select field list and once in the order clause. Exploitation is complex, requiring the injected query to remain valid while bypassing certain syntax checks. The vulnerability has been patched in versions 17.5.0, 17.4.2, and 16.10.9.

Impact

Exploitation of this vulnerability allows for HQL injection, where an attacker can manipulate the query execution on the server. This could potentially lead to unauthorized data access or modification, depending on the nature of the injected HQL.

Reproduction

To reproduce this vulnerability, send a request to the XWiki REST search endpoint with a crafted 'orderField' parameter that includes malicious HQL payloads. The injected HQL should be designed to exploit the query parsing and execution, such as by adding conditions that manipulate the query logic or by injecting functions that could be used for data exfiltration or modification.

Remediation

Users can upgrade to XWiki Platform versions 17.5.0, 17.4.2, or 16.10.9 to address this vulnerability.