XWiki Remote Macros Column Macro Width Parameter Escaping Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability exists in the XWiki Remote Macros Column macro, affecting versions 1.0 prior to 1.26.5. The issue arises from the width parameter being used in XWiki syntax without proper escaping, allowing for XWiki syntax injection. This vulnerability can be exploited by any user who can edit pages or access the CKEditor converter, particularly if the macro is installed by a user with programming rights or if it allows executing Velocity code as the wiki admin.

Impact

Exploitation of this vulnerability allows remote code execution on the XWiki server, with the executed code running in the context of the wiki admin.

Reproduction

To reproduce this vulnerability, a user without script or programming rights can insert a column macro into the WYSIWYG editor. In the 'width' input, enter a crafted payload that includes XWiki syntax for executing Groovy code. After saving and viewing the page, the injected code will be executed if the macro is vulnerable, demonstrating the remote code execution flaw.

Remediation

Users can update to XWiki Remote Macros version 1.26.5 or later, where this vulnerability has been patched.