Package Instance

XWiki Platform vulnerable to document deletion and overwrite from edit
### Impact

When a user has edit but not view right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored from there by an admin. As the user is recorded as deleter, the user would in theory also be able to view the deleted content, but this is not directly possible as rights of the previous version are transferred to the new page and thus the user still doesn't have view right on the page. From all we examined, it therefore doesn't seem to be possible to exploit this to gain any rights.

To reproduce, just replace `view` by `edit` in the URL of a page that you cannot view but edit and save. This should send the page to the recycle bin and replace it by an empty one if the XWiki installation is vulnerable. After the fix, an error is displayed when saving.

### Patches
This has been patched in XWiki 14.10.21, 15.5.5 and 15.10.6 by cancelling save operations by users when a new document shall be saved despite the document's existing already.

### Workarounds
We're not aware of any workarounds.

### References
* https://jira.xwiki.org/browse/XWIKI-21553
* https://github.com/xwiki/xwiki-platform/commit/c5efc1e519e710afdf3c5f40c0fcc300ad77149f

XWiki Platform remote code execution from account via custom skins support
### Impact
Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. 

To reproduce, as a user without edit, script or admin right, add an object of class `XWiki.XWikiSkins` to your profile. Name it whatever you want and set the Base Skin to `flamingo`.
Add an object of class `XWikiSkinFileOverrideClass` and set the path to `macros.vm` and the content to:
```
#macro(mediumUserAvatar $username)
  #resizedUserAvatar($username 50)
  $services.logging.getLogger('Skin').error("I got programming: $services.security.authorization.hasAccess('programming')")
#end
```
Back to your profile, click `Test this skin`. Force a refresh, just in case.
If the error "Skin - I got programming: true" gets logged, the installation is vulnerable.

### Patches
This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1.

### Workarounds
We're not aware of any workaround except upgrading.

### References
* https://jira.xwiki.org/browse/XWIKI-21478
* https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39 (>= 15.8 RC1)
* https://github.com/xwiki/xwiki-platform/commit/da177c3c972e797d92c1a31e278f946012c41b56 (< 15.8 RC1)

XWiki Platform: Password hash might be leaked by diff once the xobject holding them is deleted
### Impact

It is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that vulnerability it's possible for an attacker to have access to the hash password of a user if they have rights to edit the users' page. 

Now with the default right scheme in XWiki this vulnerability is normally prevented on user profiles, except by users with Admin rights. Note that this vulnerability also impacts any extensions that might use passwords stored in xobjects: for those usecases it depends on the right of those pages.

There is currently no way to be 100% sure that this vulnerability has been exploited, as an attacker with enough privilege could have deleted the revision where the xobject was deleted after rolling-back the deletion. But again, this operation requires high privileges on the target page (Admin right). A page with a user password xobject which have in its history a revision where the object has been deleted should be considered at risk and the password should be changed there.

### Patches

The vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9-rc-1 by performing a better check before dislaying data of a diff, to ensure it's not coming from a password field. 

### Workarounds

Admins should ensure that the user pages are properly protected: the edit right shouldn't be allowed for other users than Admin and owner of the profile (which is the default right). 
Now there's not much workaround possible for a privileged user other than upgrading XWiki. 

### References

* JIRA ticket: https://jira.xwiki.org/browse/XWIKI-19948
* Commit: https://github.com/xwiki/xwiki-platform/commit/f1eaec1e512220fabd970d053c627e435a1652cf

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:security@xwiki.org)

XWiki Platform allows remote code execution from user account
### Impact
When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account.

To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`.
As an admin, go to the user profile and click the "Disable this account" button.
Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable.

### Patches
This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

### Workarounds
We're not aware of any workaround except upgrading.

### References
* https://jira.xwiki.org/browse/XWIKI-21611
* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a

XWiki Platform: Privilege escalation (PR) from user registration through PDFClass
### Impact
Remote code execution is possible via PDF export templates.
To reproduce on an installation, register a new user account with username `PDFClass` if `XWiki.PDFClass` does not exist.
On `XWiki.PDFClass`, use the class editor to add a "style" property of type "TextArea" and content type "Plain Text".
Then, add an object of class `PDFClass` and set the "style" attribute to `$services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')")`.
Finally, go to `<host>/xwiki/bin/export/Main/WebHome?format=pdf&pdftemplate=XWiki.PDFClass`. If the logs contain "ERROR PDFClass - I got programming: true", the instance is vulnerable.

### Patches
This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1.

### Workarounds
If PDF templates are not typically used on the instance, an administrator can create the document `XWiki.PDFClass` and block its edition, after making sure that it does not contain a `style` attribute.
Otherwise, the instance needs to be updated.

### References
- https://jira.xwiki.org/browse/XWIKI-21337
- https://github.com/xwiki/xwiki-platform/commit/d28e21a670c69880b951e415dd2ddd69d273eae9

XWiki Platform allows XSS through XClass name in string properties
### Impact
Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript.
This requires social engineer to trick a user to follow the URL.

#### Reproduction steps

1. As a user without script or programming right, create a (non-terminal) document named `" + alert(1) + "` (the quotes need to be part of the name).
1. Edit the class.
1. Add a string property named `"test"`.
1. Edit using the object editor and add an object of the created class
1. Get an admin to open `<xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=edit` where `<xwiki-server>` is the URL of your XWiki installation.

### Patches
This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

### Workarounds

We're not aware of any workaround except upgrading.

### References
- https://jira.xwiki.org/browse/XWIKI-21810
- https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c