Remote code execution as guest via SolrSearchMacros request in xwiki
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to /xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed contains Hello from search text:42, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit Main.SolrSearchMacros in SolrSearchMacros.xml on line 955 to match the rawResponse macro in macros.vm#L2824 with a content type of application/xml, instead of simply outputting the content of the feed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-search-solr-uiMaven | >= 5.3-milestone-2, < 15.10.11 | 15.10.11 |
org.xwiki.platform:xwiki-platform-search-solr-uiMaven | >= 16.0.0-rc-1, < 16.4.1 | 16.4.1 |
Affected products
2- ghsa-coordsRange: >= 5.3-milestone-2, < 15.10.11
- Range: >= 5.3-milestone-2, < 15.10.11
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-rr6p-3pfg-562jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24893ghsaADVISORY
- github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xmlghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vmghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562jghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-22149ghsax_refsource_MISCWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
News mentions
0No linked articles in our index yet.