Moderate severityNVD Advisory· Published Feb 9, 2022· Updated Apr 23, 2025

Missing authorization in xwiki-platform

CVE-2022-23621

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg"). This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 13.6-rc-1, < 13.7-rc-1	13.7-rc-1
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 13.0.0, < 13.4.3	13.4.3
org.xwiki.platform:xwiki-platform-oldcoreMaven	< 12.10.9	12.10.9

Affected products

Xwiki/Xwiki Platformv5
Range: >= 13.6.0, < 13.7-rc-1

Patches

df8bd49b5a4d

XWIKI-18870: Unexpected behavior of XWiki#invokeServletAndReturnAsString

https://github.com/xwiki/xwiki-platformThomas MortagneJul 29, 2021via ghsa

commit

4 files changed · +38 −34

xwiki-platform-core/xwiki-platform-legacy/xwiki-platform-legacy-oldcore/src/main/aspect/com/xpn/xwiki/api/XWikiCompatibilityAspect.aj

+14 −0 modified

@@ -1198,4 +1198,18 @@ public privileged aspect XWikiCompatibilityAspect
     {
         return this.xwiki.getConfiguredSyntaxes();
     }
+
+    /**
+     * Designed to include dynamic content, such as Servlets or JSPs, inside Velocity templates; works by creating a
+     * RequestDispatcher, buffering the output, then returning it as a string.
+     *
+     * @param url URL of the servlet
+     * @return text result of the servlet
+     * @deprecated since 12.10.9, 13.4.3, 13.7RC1
+     */
+    @Deprecated
+    public String XWiki.invokeServletAndReturnAsString(String url)
+    {
+        return hasProgrammingRights() ? this.xwiki.invokeServletAndReturnAsString(url, getXWikiContext()) : null;
+    }
 }
\ No newline at end of file

xwiki-platform-core/xwiki-platform-legacy/xwiki-platform-legacy-oldcore/src/main/aspect/com/xpn/xwiki/XWikiCompatibilityAspect.aj

+24 −0 modified

@@ -35,6 +35,9 @@ import java.lang.reflect.Method;
 import java.lang.reflect.InvocationTargetException;
 import java.io.IOException;
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
 import org.apache.commons.net.smtp.SMTPClient;
 import org.apache.commons.net.smtp.SMTPReply;
 import org.apache.commons.lang3.StringUtils;
@@ -78,6 +81,7 @@ import com.xpn.xwiki.util.Util;
 import com.xpn.xwiki.web.Utils;
 import com.xpn.xwiki.web.XWikiMessageTool;
 import com.xpn.xwiki.web.XWikiRequest;
+import com.xpn.xwiki.web.includeservletasstring.IncludeServletAsString;
 
 /**
  * Add a backward compatibility layer to the {@link com.xpn.xwiki.XWiki} class.
@@ -1388,4 +1392,24 @@ public privileged aspect XWikiCompatibilityAspect
         }
         return this.configuredSyntaxes;
     }
+
+    /**
+     * Designed to include dynamic content, such as Servlets or JSPs, inside Velocity templates; works by creating a
+     * RequestDispatcher, buffering the output, then returning it as a string.
+     * 
+     * @deprecated since 12.10.9, 13.4.3, 13.7RC1
+     */
+    @Deprecated
+    public String XWiki.invokeServletAndReturnAsString(String url, XWikiContext xwikiContext)
+    {
+        HttpServletRequest servletRequest = xwikiContext.getRequest();
+        HttpServletResponse servletResponse = xwikiContext.getResponse();
+
+        try {
+            return IncludeServletAsString.invokeServletAndReturnAsString(url, servletRequest, servletResponse);
+        } catch (Exception e) {
+            LOGGER.warn("Exception including url: " + url, e);
+            return "Exception including \"" + url + "\", see logs for details.";
+        }
+    }
 }

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/XWiki.java+0 −12 modified

@@ -1010,18 +1010,6 @@ public String renderTemplate(String template)
         return this.xwiki.renderTemplate(template, getXWikiContext());
     }
 
-    /**
-     * Designed to include dynamic content, such as Servlets or JSPs, inside Velocity templates; works by creating a
-     * RequestDispatcher, buffering the output, then returning it as a string.
-     *
-     * @param url URL of the servlet
-     * @return text result of the servlet
-     */
-    public String invokeServletAndReturnAsString(String url)
-    {
-        return this.xwiki.invokeServletAndReturnAsString(url, getXWikiContext());
-    }
-
     /**
      * Return the URL of the static file provided by the current skin The file is first looked in the skin active for
      * the user, the space or the wiki. If the file does not exist in that skin, the file is looked up in the "parent

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/XWiki.java+0 −22 modified

@@ -66,8 +66,6 @@
 import javax.naming.NamingException;
 import javax.script.ScriptContext;
 import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.httpclient.Credentials;
 import org.apache.commons.httpclient.HttpClient;
@@ -265,7 +263,6 @@
 import com.xpn.xwiki.web.XWikiURLFactory;
 import com.xpn.xwiki.web.XWikiURLFactoryService;
 import com.xpn.xwiki.web.XWikiURLFactoryServiceImpl;
-import com.xpn.xwiki.web.includeservletasstring.IncludeServletAsString;
 
 @Serializable(false)
 public class XWiki implements EventListener
@@ -2578,25 +2575,6 @@ public String renderTemplate(String template, XWikiContext context)
         }
     }
 
-    /**
-     * Designed to include dynamic content, such as Servlets or JSPs, inside Velocity templates; works by creating a
-     * RequestDispatcher, buffering the output, then returning it as a string.
-     */
-    public String invokeServletAndReturnAsString(String url, XWikiContext xwikiContext)
-    {
-
-        HttpServletRequest servletRequest = xwikiContext.getRequest();
-        HttpServletResponse servletResponse = xwikiContext.getResponse();
-
-        try {
-            return IncludeServletAsString.invokeServletAndReturnAsString(url, servletRequest, servletResponse);
-        } catch (Exception e) {
-            LOGGER.warn("Exception including url: " + url, e);
-            return "Exception including \"" + url + "\", see logs for details.";
-        }
-
-    }
-
     /**
      * @param iconName the standard name of an icon (it's not the name of the file on the filesystem, it's a generic
      *            name, for example "success" for a success icon

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2jhm-qp48-hv5jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-23621ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/df8bd49b5a4d87a427002c6535fb5b1746ff117aghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-2jhm-qp48-hv5jghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-18870ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000