VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 8, 2024· Updated Jun 17, 2025

XWiki Remote Code Execution vulnerability via user registration

CVE-2024-21650

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests. This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-administration-uiMaven
>= 2.2, < 14.10.1714.10.17
org.xwiki.platform:xwiki-platform-administration-uiMaven
>= 15.0-rc-1, < 15.5.315.5.3
org.xwiki.platform:xwiki-platform-administration-uiMaven
>= 15.6-rc-1, < 15.8-rc-115.8-rc-1

Affected products

1

Patches

3
cdf5be8c20b6

XWIKI-21173: Improve escaping in registration success message

https://github.com/xwiki/xwiki-platformMichael HamannSep 4, 2023via ghsa
commit
3 files changed · +47 13
  • xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/RegisterIT.java+21 11 modified
    @@ -19,22 +19,22 @@
  */
 package org.xwiki.administration.test.ui;
 
-import java.util.List;
 import java.util.stream.Stream;
 
 import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.openqa.selenium.By;
 import org.openqa.selenium.NoSuchElementException;
-import org.openqa.selenium.WebElement;
 import org.xwiki.administration.test.po.RegistrationModal;
 import org.xwiki.test.docker.junit5.UITest;
 import org.xwiki.test.ui.TestUtils;
 import org.xwiki.test.ui.po.AbstractRegistrationPage;
 import org.xwiki.test.ui.po.RegistrationPage;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -161,6 +161,22 @@ void registerInvalidEmail(boolean useLiveValidation, boolean isModal, TestUtils
         assertTrue(registrationPage.validationFailureMessagesInclude("Please enter a valid email address."));
     }
 
+    @Test
+    @Order(8)
+    void registerWikiSyntaxName(TestUtils testUtils) throws Exception
+    {
+        AbstractRegistrationPage registrationPage = setUp(testUtils, false, false);
+        String password = "SomePassword";
+        String firstName = "]]{{/html}}{{html clean=false}}HT&amp;ML";
+        String lastName = "]]{{/html}}";
+        String username = "WikiSyntaxName";
+        registrationPage.fillRegisterForm(firstName, lastName, username, password, password, "wiki@example.com");
+        assertTrue(validateAndRegister(testUtils, false, false, registrationPage));
+
+        assertEquals(String.format("%s %s (%s): Registration successful.", firstName, lastName, username),
+            ((RegistrationPage) registrationPage).getRegistrationSuccessMessage().orElseThrow());
+    }
+
     private AbstractRegistrationPage setUp(TestUtils testUtils, boolean useLiveValidation, boolean isModal)
         throws Exception
     {
@@ -236,7 +252,7 @@ private boolean tryToRegister(TestUtils testUtils, AbstractRegistrationPage regi
         if (isModal) {
             return administrationModalUserCreation(testUtils, registrationPage);
         } else {
-            return guestUserRegistration(testUtils, registrationPage);
+            return guestUserRegistration(registrationPage);
         }
     }
 
@@ -265,17 +281,11 @@ private boolean administrationModalUserCreation(TestUtils testUtils, AbstractReg
         }
     }
 
-    private boolean guestUserRegistration(TestUtils testUtils, AbstractRegistrationPage registrationPage)
+    private boolean guestUserRegistration(AbstractRegistrationPage registrationPage)
     {
         registrationPage.clickRegister();
 
-        List<WebElement> infos = testUtils.getDriver().findElements(By.className("infomessage"));
-        for (WebElement info : infos) {
-            if (info.getText().contains("Registration successful.")) {
-                return true;
-            }
-        }
-        return false;
+        return ((RegistrationPage) registrationPage).getRegistrationSuccessMessage().isPresent();
     }
 
     private void tryToLoginAsJohnSmith(TestUtils testUtils, AbstractRegistrationPage registrationPage)
  • xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/RegistrationConfig.xml+3 2 modified
    @@ -555,8 +555,9 @@
       <passwordRuleOneUpperCaseEnabled>0</passwordRuleOneUpperCaseEnabled>
     </property>
     <property>
-      <registrationSuccessMessage>#set($fullName = "$request.get('register_first_name') $request.get('register_last_name')")
-{{info}}$services.localization.render('core.register.successful', ["[[$fullName&gt;&gt;$userSpace$userName]]", $userName]){{/info}}</registrationSuccessMessage>
+      <registrationSuccessMessage>#set($message = $services.localization.render('core.register.successful', 'xwiki/2.1', ['USERLINK', $userName]))
+#set($userLink = $xwiki.getUserName("$userSpace$userName"))
+{{info}}$message.replace('USERLINK', "{{html clean=false}}$userLink{{/html}}"){{/info}}</registrationSuccessMessage>
     </property>
     <property>
       <requireCaptcha>0</requireCaptcha>
  • xwiki-platform-core/xwiki-platform-test/xwiki-platform-test-ui/src/main/java/org/xwiki/test/ui/po/RegistrationPage.java+23 0 modified
    @@ -19,6 +19,10 @@
  */
 package org.xwiki.test.ui.po;
 
+import java.util.List;
+import java.util.Optional;
+
+import org.openqa.selenium.By;
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.support.FindBy;
 
@@ -47,4 +51,23 @@ public void clickRegister()
     {
         this.submitButton.click();
     }
+
+    /**
+     * @since 14.10.17
+     * @since 15.5.3
+     * @since 15.8RC1
+     *
+     * @return the registration success message if present after submitting the registration form
+     */
+    public Optional<String> getRegistrationSuccessMessage()
+    {
+        List<WebElement> infos = getDriver().findElements(By.className("infomessage"));
+        for (WebElement info : infos) {
+            if (info.getText().contains("Registration successful.")) {
+                return Optional.of(info.getText());
+            }
+        }
+
+        return Optional.empty();
+    }
 }
ec608f303913

XWIKI-21173: Improve escaping in registration success message

https://github.com/xwiki/xwiki-platformMichael HamannSep 4, 2023via ghsa
commit
3 files changed · +47 13
  • xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/RegisterIT.java+21 11 modified
    @@ -19,22 +19,22 @@
  */
 package org.xwiki.administration.test.ui;
 
-import java.util.List;
 import java.util.stream.Stream;
 
 import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.openqa.selenium.By;
 import org.openqa.selenium.NoSuchElementException;
-import org.openqa.selenium.WebElement;
 import org.xwiki.administration.test.po.RegistrationModal;
 import org.xwiki.test.docker.junit5.UITest;
 import org.xwiki.test.ui.TestUtils;
 import org.xwiki.test.ui.po.AbstractRegistrationPage;
 import org.xwiki.test.ui.po.RegistrationPage;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -161,6 +161,22 @@ void registerInvalidEmail(boolean useLiveValidation, boolean isModal, TestUtils
         assertTrue(registrationPage.validationFailureMessagesInclude("Please enter a valid email address."));
     }
 
+    @Test
+    @Order(8)
+    void registerWikiSyntaxName(TestUtils testUtils) throws Exception
+    {
+        AbstractRegistrationPage registrationPage = setUp(testUtils, false, false);
+        String password = "SomePassword";
+        String firstName = "]]{{/html}}{{html clean=false}}HT&amp;ML";
+        String lastName = "]]{{/html}}";
+        String username = "WikiSyntaxName";
+        registrationPage.fillRegisterForm(firstName, lastName, username, password, password, "wiki@example.com");
+        assertTrue(validateAndRegister(testUtils, false, false, registrationPage));
+
+        assertEquals(String.format("%s %s (%s): Registration successful.", firstName, lastName, username),
+            ((RegistrationPage) registrationPage).getRegistrationSuccessMessage().orElseThrow());
+    }
+
     private AbstractRegistrationPage setUp(TestUtils testUtils, boolean useLiveValidation, boolean isModal)
         throws Exception
     {
@@ -236,7 +252,7 @@ private boolean tryToRegister(TestUtils testUtils, AbstractRegistrationPage regi
         if (isModal) {
             return administrationModalUserCreation(testUtils, registrationPage);
         } else {
-            return guestUserRegistration(testUtils, registrationPage);
+            return guestUserRegistration(registrationPage);
         }
     }
 
@@ -265,17 +281,11 @@ private boolean administrationModalUserCreation(TestUtils testUtils, AbstractReg
         }
     }
 
-    private boolean guestUserRegistration(TestUtils testUtils, AbstractRegistrationPage registrationPage)
+    private boolean guestUserRegistration(AbstractRegistrationPage registrationPage)
     {
         registrationPage.clickRegister();
 
-        List<WebElement> infos = testUtils.getDriver().findElements(By.className("infomessage"));
-        for (WebElement info : infos) {
-            if (info.getText().contains("Registration successful.")) {
-                return true;
-            }
-        }
-        return false;
+        return ((RegistrationPage) registrationPage).getRegistrationSuccessMessage().isPresent();
     }
 
     private void tryToLoginAsJohnSmith(TestUtils testUtils, AbstractRegistrationPage registrationPage)
  • xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/RegistrationConfig.xml+3 2 modified
    @@ -555,8 +555,9 @@
       <passwordRuleOneUpperCaseEnabled>0</passwordRuleOneUpperCaseEnabled>
     </property>
     <property>
-      <registrationSuccessMessage>#set($fullName = "$request.get('register_first_name') $request.get('register_last_name')")
-{{info}}$services.localization.render('core.register.successful', ["[[$fullName&gt;&gt;$userSpace$userName]]", $userName]){{/info}}</registrationSuccessMessage>
+      <registrationSuccessMessage>#set($message = $services.localization.render('core.register.successful', 'xwiki/2.1', ['USERLINK', $userName]))
+#set($userLink = $xwiki.getUserName("$userSpace$userName"))
+{{info}}$message.replace('USERLINK', "{{html clean=false}}$userLink{{/html}}"){{/info}}</registrationSuccessMessage>
     </property>
     <property>
       <requireCaptcha>0</requireCaptcha>
  • xwiki-platform-core/xwiki-platform-test/xwiki-platform-test-ui/src/main/java/org/xwiki/test/ui/po/RegistrationPage.java+23 0 modified
    @@ -19,6 +19,10 @@
  */
 package org.xwiki.test.ui.po;
 
+import java.util.List;
+import java.util.Optional;
+
+import org.openqa.selenium.By;
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.support.FindBy;
 
@@ -47,4 +51,23 @@ public void clickRegister()
     {
         this.submitButton.click();
     }
+
+    /**
+     * @since 14.10.17
+     * @since 15.5.3
+     * @since 15.8RC1
+     *
+     * @return the registration success message if present after submitting the registration form
+     */
+    public Optional<String> getRegistrationSuccessMessage()
+    {
+        List<WebElement> infos = getDriver().findElements(By.className("infomessage"));
+        for (WebElement info : infos) {
+            if (info.getText().contains("Registration successful.")) {
+                return Optional.of(info.getText());
+            }
+        }
+
+        return Optional.empty();
+    }
 }
b290bfd573c6

XWIKI-21173: Improve escaping in registration success message

https://github.com/xwiki/xwiki-platformMichael HamannSep 4, 2023via ghsa
commit
3 files changed · +47 13
  • xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/RegisterIT.java+21 11 modified
    @@ -19,22 +19,22 @@
  */
 package org.xwiki.administration.test.ui;
 
-import java.util.List;
 import java.util.stream.Stream;
 
 import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.openqa.selenium.By;
 import org.openqa.selenium.NoSuchElementException;
-import org.openqa.selenium.WebElement;
 import org.xwiki.administration.test.po.RegistrationModal;
 import org.xwiki.test.docker.junit5.UITest;
 import org.xwiki.test.ui.TestUtils;
 import org.xwiki.test.ui.po.AbstractRegistrationPage;
 import org.xwiki.test.ui.po.RegistrationPage;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -161,6 +161,22 @@ void registerInvalidEmail(boolean useLiveValidation, boolean isModal, TestUtils
         assertTrue(registrationPage.validationFailureMessagesInclude("Please enter a valid email address."));
     }
 
+    @Test
+    @Order(8)
+    void registerWikiSyntaxName(TestUtils testUtils) throws Exception
+    {
+        AbstractRegistrationPage registrationPage = setUp(testUtils, false, false);
+        String password = "SomePassword";
+        String firstName = "]]{{/html}}{{html clean=false}}HT&amp;ML";
+        String lastName = "]]{{/html}}";
+        String username = "WikiSyntaxName";
+        registrationPage.fillRegisterForm(firstName, lastName, username, password, password, "wiki@example.com");
+        assertTrue(validateAndRegister(testUtils, false, false, registrationPage));
+
+        assertEquals(String.format("%s %s (%s): Registration successful.", firstName, lastName, username),
+            ((RegistrationPage) registrationPage).getRegistrationSuccessMessage().orElseThrow());
+    }
+
     private AbstractRegistrationPage setUp(TestUtils testUtils, boolean useLiveValidation, boolean isModal)
         throws Exception
     {
@@ -236,7 +252,7 @@ private boolean tryToRegister(TestUtils testUtils, AbstractRegistrationPage regi
         if (isModal) {
             return administrationModalUserCreation(testUtils, registrationPage);
         } else {
-            return guestUserRegistration(testUtils, registrationPage);
+            return guestUserRegistration(registrationPage);
         }
     }
 
@@ -265,17 +281,11 @@ private boolean administrationModalUserCreation(TestUtils testUtils, AbstractReg
         }
     }
 
-    private boolean guestUserRegistration(TestUtils testUtils, AbstractRegistrationPage registrationPage)
+    private boolean guestUserRegistration(AbstractRegistrationPage registrationPage)
     {
         registrationPage.clickRegister();
 
-        List<WebElement> infos = testUtils.getDriver().findElements(By.className("infomessage"));
-        for (WebElement info : infos) {
-            if (info.getText().contains("Registration successful.")) {
-                return true;
-            }
-        }
-        return false;
+        return ((RegistrationPage) registrationPage).getRegistrationSuccessMessage().isPresent();
     }
 
     private void tryToLoginAsJohnSmith(TestUtils testUtils, AbstractRegistrationPage registrationPage)
  • xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/RegistrationConfig.xml+3 2 modified
    @@ -555,8 +555,9 @@
       <passwordRuleOneUpperCaseEnabled>0</passwordRuleOneUpperCaseEnabled>
     </property>
     <property>
-      <registrationSuccessMessage>#set($fullName = "$request.get('register_first_name') $request.get('register_last_name')")
-{{info}}$services.localization.render('core.register.successful', ["[[$fullName&gt;&gt;$userSpace$userName]]", $userName]){{/info}}</registrationSuccessMessage>
+      <registrationSuccessMessage>#set($message = $services.localization.render('core.register.successful', 'xwiki/2.1', ['USERLINK', $userName]))
+#set($userLink = $xwiki.getUserName("$userSpace$userName"))
+{{info}}$message.replace('USERLINK', "{{html clean=false}}$userLink{{/html}}"){{/info}}</registrationSuccessMessage>
     </property>
     <property>
       <requireCaptcha>0</requireCaptcha>
  • xwiki-platform-core/xwiki-platform-test/xwiki-platform-test-ui/src/main/java/org/xwiki/test/ui/po/RegistrationPage.java+23 0 modified
    @@ -19,6 +19,10 @@
  */
 package org.xwiki.test.ui.po;
 
+import java.util.List;
+import java.util.Optional;
+
+import org.openqa.selenium.By;
 import org.openqa.selenium.WebElement;
 import org.openqa.selenium.support.FindBy;
 
@@ -47,4 +51,23 @@ public void clickRegister()
     {
         this.submitButton.click();
     }
+
+    /**
+     * @since 14.10.17
+     * @since 15.5.3
+     * @since 15.8RC1
+     *
+     * @return the registration success message if present after submitting the registration form
+     */
+    public Optional<String> getRegistrationSuccessMessage()
+    {
+        List<WebElement> infos = getDriver().findElements(By.className("infomessage"));
+        for (WebElement info : infos) {
+            if (info.getText().contains("Registration successful.")) {
+                return Optional.of(info.getText());
+            }
+        }
+
+        return Optional.empty();
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.