XWiki Platform Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in XWiki Platform versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0. This vulnerability allows an attacker to execute arbitrary actions on behalf of the victim by crafting a malicious URL. If the victim has administrative or programming rights, these can be exploited to gain full access to the XWiki installation.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a request to the '/bin/distribution/XWiki/Distribution' endpoint with the 'extensionId' and 'extensionVersion' parameters. The 'extensionId' parameter can include a payload, such as an image tag with an 'onerror' event, to execute JavaScript. This vulnerability can be triggered by any user, as the endpoint is accessible without special privileges.

Remediation

Users can update to XWiki versions 17.8.0-rc-1, 17.4.5, or 16.10.12 to address this vulnerability. Alternatively, the patch can be applied manually by changing a single line in the 'templates/logging_macros.vm' file, without requiring a restart.