XWiki Platform Unauthenticated XAR Import Vulnerability via REST API

A vulnerability exists in XWiki Platform versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, allowing unauthenticated users to import XAR files through the POST /wikis/{wikiName} API. This import is executed without any authentication or authorization checks, enabling attackers to create or modify documents within the targeted wiki. The issue arises from a removal of an indirect admin rights check in a previous update, which now allows guest users to import XAR files that could grant them additional privileges, such as programming rights.

Impact

Exploitation of this vulnerability allows for unauthorized XAR imports, which can be used to create or update wiki pages, potentially including sensitive preference pages that grant additional rights.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /wikis/{wikiName} endpoint without authentication. This can be done using a tool like Postman or through a script that automates the HTTP request. The request must include the XAR file to be imported.

Remediation

Users can upgrade to XWiki versions 16.10.17, 17.4.9, 17.10.3, 18.0.1 or 18.1.0-rc-1 to address this vulnerability.