CVE-2025-24893

Remote code execution as guest via SolrSearchMacros request in xwiki

Basic Information

CVE State: PUBLISHED
Reserved Date: January 27, 2025
Published Date: February 20, 2025
Last Updated: February 20, 2025
Vendor: xwiki
Product: xwiki-platform
Description: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Tags

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Source	Added Date
The Shadowserver (via CIRCL)	2025-04-24 00:00:00 UTC

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24893.yaml	2025-04-26 00:00:00 UTC

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Type: github • Created: 2025-05-05 04:10:48 UTC • Stars: 0

Type: github • Created: 2025-02-25 07:11:51 UTC • Stars: 5

XWiki SolrSearchMacros 远程代码执行漏洞PoC（CVE-2025-24893）