CVE-2018-16277

Vulnerability

The Image Import function in XWiki through version 10.7 contains a cross-site scripting (XSS) vulnerability [1]. The flaw arises because user-supplied input is not properly sanitized before being processed or stored during image import operations. This affects all installations using the built-in image upload and import feature. Version 10.7 is the last affected release; later versions are not impacted.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious image file or request containing embedded JavaScript. No authentication is required if the wiki allows anonymous uploads; otherwise, an authenticated user with upload rights can trigger the flaw. The malicious payload is executed when a victim views the imported image or the page where it is displayed. The attack does not require any special network position beyond being able to send HTTP requests to the target XWiki instance.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data theft, defacement, or other malicious actions depending on the attacker's payload. The XSS is stored and persistent, meaning every user who views the affected content will be impacted. The impact is limited to the browser session and does not directly grant server-side access.

Mitigation

XWiki released a fix in version 10.8, which was published on 2018-09-28 [1]. Users should upgrade to XWiki 10.8 or later to mitigate this vulnerability. For installations that cannot be upgraded immediately, disabling anonymous image uploads and reviewing uploaded content manually can reduce the risk, but upgrading is the only complete mitigation. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.