CVE-2025-24893

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955	Product
https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824	Product
https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j	Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22149	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki:5.3:-::::::
	cpe:2.3:a:xwiki:xwiki:5.3:milestone2::::::
	cpe:2.3:a:xwiki:xwiki:5.3:rc1::::::

History

07 May 2025, 18:08

Type	Values Removed	Values Added
References	() https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955 -	() https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955 - Product
References	() https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824 -	() https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824 - Product
References	~~() https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40 -~~	() https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40 - Patch
References	~~() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j -~~	() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j - Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XWIKI-22149 -~~	() https://jira.xwiki.org/browse/XWIKI-22149 - Exploit, Issue Tracking, Vendor Advisory
CWE		CWE-94
CPE		cpe:2.3:a:xwiki:xwiki:5.3:milestone2:::::: cpe:2.3:a:xwiki:xwiki:5.3:rc1:::::: cpe:2.3:a:xwiki:xwiki:5.3:-:::::: cpe:2.3:a:xwiki:xwiki::::::::
First Time		Xwiki xwiki Xwiki
Summary		(es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Cualquier invitado puede ejecutar código remoto arbitrario mediante una solicitud a `SolrSearch`. Esto afecta la confidencialidad, integridad y disponibilidad de toda la instalación de XWiki. Para reproducir en una instancia sin iniciar sesión, vaya a `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. Si hay una salida y el título de la fuente RSS contiene `Hello from search text:42`, entonces la instancia es vulnerable. Esta vulnerabilidad ha sido corregida en XWiki 15.10.11, 16.4.1 y 16.5.0RC1. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden editar `Main.SolrSearchMacros` en `SolrSearchMacros.xml` en la línea 955 para que coincida con la macro `rawResponse` en `macros.vm#L2824` con un tipo de contenido de `application/xml`, en lugar de simplemente mostrar el contenido de la fuente.

20 Feb 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-20 20:15

Updated : 2025-05-07 18:08

NVD link : CVE-2025-24893

Mitre link : CVE-2025-24893

CVE.ORG link : CVE-2025-24893

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-24893", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-02-20T20:15:46.697", "references": [{"url": "https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://jira.xwiki.org/browse/XWIKI-22149", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-95"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28\"Hello%20from\"%20%2B%20\"%20search%20text%3A\"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed."}, {"lang": "es", "value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones creadas sobre ella. Cualquier invitado puede ejecutar c\u00f3digo remoto arbitrario mediante una solicitud a `SolrSearch`. Esto afecta la confidencialidad, integridad y disponibilidad de toda la instalaci\u00f3n de XWiki. Para reproducir en una instancia sin iniciar sesi\u00f3n, vaya a `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28\"Hello%20from\"%20%2B%20\"%20search%20text%3A\"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. Si hay una salida y el t\u00edtulo de la fuente RSS contiene `Hello from search text:42`, entonces la instancia es vulnerable. Esta vulnerabilidad ha sido corregida en XWiki 15.10.11, 16.4.1 y 16.5.0RC1. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden editar `Main.SolrSearchMacros` en `SolrSearchMacros.xml` en la l\u00ednea 955 para que coincida con la macro `rawResponse` en `macros.vm#L2824` con un tipo de contenido de `application/xml`, en lugar de simplemente mostrar el contenido de la fuente."}], "lastModified": "2025-05-07T18:08:35.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9F2AD2E-CF5D-46D1-AFB8-2E9529C8E8D4", "versionEndExcluding": "15.10.11", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5921C493-2A56-49BC-8763-7D12518C0DC2", "versionEndExcluding": "16.4.1", "versionStartIncluding": "16.0.0"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5CC1FB7-2BAD-4413-9955-02E06BA27305"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:milestone2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "067AAD11-1AB2-4688-8D81-F2464CD2FA14"}, {"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F2FCE7B4-E701-4C07-B4A9-31EC6C25F882"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

9.8 /10