Description
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
Remediation
References
Related Vulnerabilities
SugarCRM Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-17304)
MediaWiki CVE-2023-29137 Vulnerability (CVE-2023-29137)
PHP Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2014-5459)
WordPress Plugin Slack-Chat Information Disclosure (1.5.5)
WordPress Plugin Product Import Export for WooCommerce Cross-Site Request Forgery (1.7.4)