{ "schema_version": "1.4.0", "id": "GHSA-rr6p-3pfg-562j", "modified": "2025-02-20T22:53:32Z", "published": "2025-02-20T20:16:21Z", "aliases": [ "CVE-2025-24893" ], "summary": "XWiki Platform allows remote code execution as guest via SolrSearchMacros request", "details": "### Impact\nAny guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce on an instance, without being logged in, go to `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28\"Hello%20from\"%20%2B%20\"%20search%20text%3A\"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable.\n\n### Patches\nThis vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.\n\n### Workarounds\n[This line](https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955) in `Main.SolrSearchMacros` can be edited to match the `rawResponse` macro defined [here](https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824) with a content type of `application/xml`, instead of simply outputting the content of the feed.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-22149\n* https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40\n\n### Attribution\nThis vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "org.xwiki.platform:xwiki-platform-search-solr-ui" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.3-milestone-2" }, { "fixed": "15.10.11" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "org.xwiki.platform:xwiki-platform-search-solr-ui" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "16.0.0-rc-1" }, { "fixed": "16.4.1" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24893" }, { "type": "WEB", "url": "https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40" }, { "type": "PACKAGE", "url": "https://github.com/xwiki/xwiki-platform" }, { "type": "WEB", "url": "https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955" }, { "type": "WEB", "url": "https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824" }, { "type": "WEB", "url": "https://jira.xwiki.org/browse/XWIKI-22149" } ], "database_specific": { "cwe_ids": [ "CWE-95" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2025-02-20T20:16:21Z", "nvd_published_at": "2025-02-20T20:15:46Z" } }