XWiki Rendering and Platform HTML Macro Injection Vulnerability Leading to Remote Code Execution

A vulnerability exists in XWiki Rendering versions prior to 16.10.10, as well as in 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0. This vulnerability allows for remote code execution (RCE) through insufficient protection against HTML macro injection. Users who can edit their own profile or any document may exploit this by executing arbitrary script macros, including Groovy and Python, which are then processed with programming rights. The issue arises because the rendering output is incorporated into HTML macros without proper escaping, enabling the injection of script macros that are executed with full access to wiki contents.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed code running in the context of the user profile, including the creation of files on the server.

Reproduction

To reproduce this vulnerability, a user can insert a specific payload into the 'About' section of their profile, using the source view to bypass normal editing restrictions. The payload should include both opening and closing HTML macro tags, along with script commands. Once saved, the injected script will execute, demonstrating the vulnerability by, for example, creating a file on the server with a message indicating the execution.

Remediation

Users can upgrade to XWiki Rendering versions 16.10.10, 17.4.3 or 17.6.0-rc-1. For XWiki Platform, the upgrade to version 17.10.0 is recommended.