ghsa-rr6p-3pfg-562j
Vulnerability from github
Published
2025-02-20 20:16
Modified
2025-02-20 22:53
Severity ?
Summary
XWiki Platform allows remote code execution as guest via SolrSearchMacros request
Details
Impact
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, without being logged in, go to <host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed contains Hello from search text:42, then the instance is vulnerable.
Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.
Workarounds
This line in Main.SolrSearchMacros can be edited to match the rawResponse macro defined here with a content type of application/xml, instead of simply outputting the content of the feed.
References
- https://jira.xwiki.org/browse/XWIKI-22149
- https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
Attribution
This vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.
{ affected: [ { package: { ecosystem: "Maven", name: "org.xwiki.platform:xwiki-platform-search-solr-ui", }, ranges: [ { events: [ { introduced: "5.3-milestone-2", }, { fixed: "15.10.11", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "Maven", name: "org.xwiki.platform:xwiki-platform-search-solr-ui", }, ranges: [ { events: [ { introduced: "16.0.0-rc-1", }, { fixed: "16.4.1", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2025-24893", ], database_specific: { cwe_ids: [ "CWE-95", ], github_reviewed: true, github_reviewed_at: "2025-02-20T20:16:21Z", nvd_published_at: "2025-02-20T20:15:46Z", severity: "CRITICAL", }, details: "### Impact\nAny guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28\"Hello%20from\"%20%2B%20\"%20search%20text%3A\"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable.\n\n### Patches\nThis vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.\n\n### Workarounds\n[This line](https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955) in `Main.SolrSearchMacros` can be edited to match the `rawResponse` macro defined [here](https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824) with a content type of `application/xml`, instead of simply outputting the content of the feed.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-22149\n* https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40\n\n### Attribution\nThis vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.", id: "GHSA-rr6p-3pfg-562j", modified: "2025-02-20T22:53:32Z", published: "2025-02-20T20:16:21Z", references: [ { type: "WEB", url: "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2025-24893", }, { type: "WEB", url: "https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40", }, { type: "PACKAGE", url: "https://github.com/xwiki/xwiki-platform", }, { type: "WEB", url: "https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955", }, { type: "WEB", url: "https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824", }, { type: "WEB", url: "https://jira.xwiki.org/browse/XWIKI-22149", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, ], summary: "XWiki Platform allows remote code execution as guest via SolrSearchMacros request", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.