![]() |
Description: Impact
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, without being logged in, go to /xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed contains Hello from search text:42, then the instance is vulnerable.
Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.
Workarounds
This line in Main.SolrSearchMacros can be edited to match the rawResponse macro defined here with a content type of application/xml, instead of simply outputting the content of the feed.
References
https://jira.xwiki.org/browse/XWIKI-22149
https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
Attribution
This vulnerability has been reported by John Kwak for Trend Micro's Zero Day Initiative.
References
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j
https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40
https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-...
February 20th, 2025 (5 months ago)
|
CVE-2024-4028 |
Description: A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-4028
https://access.redhat.com/security/cve/CVE-2024-4028
https://bugzilla.redhat.com/show_bug.cgi?id=2276418
https://github.com/advisories/GHSA-q4xq-445g-g6ch
EPSS Score: 0.04%
February 20th, 2025 (5 months ago)
|
CVE-2025-1391 |
Description: A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an application relies on these claims for authorization, it may incorrectly assume a user belongs to an organization they are not a member of, potentially granting unauthorized access or privileges.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-1391
https://access.redhat.com/security/cve/CVE-2025-1391
https://bugzilla.redhat.com/show_bug.cgi?id=2346082
https://github.com/keycloak/keycloak/commit/5aa2b4c75bb474303ab807017582bc01a9f7e378
https://github.com/advisories/GHSA-rq4w-cjrr-h8w8
EPSS Score: 0.03%
February 20th, 2025 (5 months ago)
|
![]() |
Description: An unknown leaker has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation. [...]
February 20th, 2025 (5 months ago)
|
![]() |
Description: The China-backed threat group often acts swiftly, going from initial access to compromise in just one day, a behavior atypical of cybercriminal groups.
February 20th, 2025 (5 months ago)
|
![]() |
Description: William discusses what happens when security is an afterthought rather than baked into processes and highlights the latest of Talos' security research.
February 20th, 2025 (5 months ago)
|
![]() |
Description: Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to settle allegations that HNFS falsely certified compliance with cybersecurity requirements under its Defense Health Agency (DHA) TRICARE contract. [...]
February 20th, 2025 (5 months ago)
|
![]() |
Description: New Horizons Baking Company Has Fallen Victim to Cactus Ransomware
February 20th, 2025 (5 months ago)
|
![]() |
Description: Dark Storm Team Targeted the Website of Bank of Central African States (BEAC)
February 20th, 2025 (5 months ago)
|
![]() |
Description: The company, which owns IGN, CNET, PCMag, and dozens more outlets and properties, took down specific information about its diversity commitment on multiple pages on its website over the past several weeks.
February 20th, 2025 (5 months ago)
|