CVE-2025-24893

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-24893
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955 Product
https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824 Product
https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22149 Exploit Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:5.3:-:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:5.3:milestone2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:5.3:rc1:*:*:*:*:*:*
History

07 May 2025, 18:08

Type Values Removed Values Added
References () https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955 - () https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955 - Product
References () https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824 - () https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824 - Product
References () https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40 - () https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40 - Patch
References () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j - () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j - Vendor Advisory
References () https://jira.xwiki.org/browse/XWIKI-22149 - () https://jira.xwiki.org/browse/XWIKI-22149 - Exploit, Issue Tracking, Vendor Advisory
CWE CWE-94
CPE cpe:2.3:a:xwiki:xwiki:5.3:milestone2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:5.3:rc1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:5.3:-:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
First Time Xwiki xwiki
Xwiki
Summary
  • (es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Cualquier invitado puede ejecutar código remoto arbitrario mediante una solicitud a `SolrSearch`. Esto afecta la confidencialidad, integridad y disponibilidad de toda la instalación de XWiki. Para reproducir en una instancia sin iniciar sesión, vaya a `/xwiki/bin/get/Main/SolrSearch?media=rss&amp;text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. Si hay una salida y el título de la fuente RSS contiene `Hello from search text:42`, entonces la instancia es vulnerable. Esta vulnerabilidad ha sido corregida en XWiki 15.10.11, 16.4.1 y 16.5.0RC1. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden editar `Main.SolrSearchMacros` en `SolrSearchMacros.xml` en la línea 955 para que coincida con la macro `rawResponse` en `macros.vm#L2824` con un tipo de contenido de `application/xml`, en lugar de simplemente mostrar el contenido de la fuente.

20 Feb 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-20 20:15

Updated : 2025-05-07 18:08

NVD link : CVE-2025-24893

Mitre link : CVE-2025-24893

CVE.ORG link : CVE-2025-24893

JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')