XWiki Rendering Default Macro Parser Context Restriction Vulnerability Allowing Remote Code Execution

A vulnerability exists in XWiki Rendering's default macro content parser, specifically in versions 4.2-milestone-1 prior to 13.10.11, 14.4.7, and 14.10. The issue arises because the parser does not maintain the restricted attribute of the transformation context when processing nested macros. This oversight enables the execution of normally prohibited macros in restricted mode, particularly script macros. The vulnerability is present in the cache and chart macros bundled with XWiki, allowing for remote code execution by exploiting the comment feature.

Impact

Exploitation of this vulnerability allows any low-privileged user to execute arbitrary code on the server, potentially compromising the application, server, and its data.

Reproduction

To reproduce this vulnerability, log into XWiki and navigate to a page with comments enabled. Append '?viewer=comments' to the URL to access the comment section. Click the 'Comment' button, then select the 'Source' option. Enter a payload that includes a script macro, such as the Groovy macro, nested within a cache macro. Once the comment is submitted, the code will be executed on the server, demonstrating the remote code execution capability.

Remediation

Users can upgrade to XWiki versions 13.10.11, 14.4.7, or 14.10. Alternatively, comments can be disabled for untrusted users until an upgrade is possible, though this will not prevent users with edit rights from adding comments via the object editor.