Description
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.
Remediation
References
Related Vulnerabilities
WordPress Plugin Social Auto Poster-WordPress Scheduler & Marketing Cross-Site Scripting (5.3.14)
Jenkins Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-3722)
WordPress Plugin Super Store Finder for WordPress (Google Maps Store Locator) SQL Injection (6.3)
Apache Traffic Server Uncontrolled Resource Consumption Vulnerability (CVE-2019-9512)
Joomla Insufficient Verification of Data Authenticity Vulnerability (CVE-2020-15699)