CVE-2024-21650 Overview
CVE-2024-21650 is a critical remote code execution (RCE) vulnerability affecting XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it. The vulnerability exists in the user registration feature, where an attacker can execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This flaw impacts all XWiki installations that have user registration enabled for guests, making it a significant threat to exposed instances.
Critical Impact
Unauthenticated attackers can achieve remote code execution by injecting malicious payloads through the user registration form, potentially leading to complete system compromise.
Affected Products
- XWiki Platform versions prior to 14.10.17
- XWiki Platform versions 15.0 through 15.5.2
- XWiki Platform versions 15.6 through 15.7
Discovery Timeline
- 2024-01-08 - CVE CVE-2024-21650 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21650
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code). The flaw resides in how XWiki processes user-supplied input during the registration process, specifically in the registration success message displayed after a user registers.
The vulnerable code directly interpolates user-provided first name and last name values into an XWiki macro without proper sanitization. Since XWiki uses a custom rendering engine that supports various macro syntaxes including Velocity scripting, an attacker can inject malicious Velocity or Groovy code through these registration fields. When the registration success message is rendered, the injected code is executed with the privileges of the XWiki application.
Root Cause
The root cause is insufficient input sanitization in the RegistrationConfig.xml file. The original implementation directly embedded $request.get('register_first_name') and $request.get('register_last_name') values into the registration success message template without escaping or sanitizing the input. This allowed attackers to inject XWiki rendering syntax that would be interpreted and executed server-side.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker simply needs to access the XWiki user registration page (available to guests by default) and submit a registration form with malicious code in the first name or last name fields. The payload executes when the success message is rendered, giving the attacker the ability to run arbitrary code on the server.
// Vulnerable code (before patch) - Source: GitHub Commit
<registrationSuccessMessage>#set($fullName = "$request.get('register_first_name') $request.get('register_last_name')")
{{info}}$services.localization.render('core.register.successful', [["$fullName>>$userSpace$userName"]], $userName){{/info}}</registrationSuccessMessage>
Source: GitHub Commit Update
Detection Methods for CVE-2024-21650
Indicators of Compromise
- Unusual user registration entries with XWiki macro syntax (e.g., {{/html}}, {{groovy}}, {{velocity}}) in name fields
- Server logs showing registration attempts with special characters or scripting keywords in the first/last name parameters
- Unexpected process executions or network connections originating from the XWiki application server
Detection Strategies
- Monitor web application logs for registration requests containing XWiki wiki syntax such as {{, }}, $services, or $xwiki in form fields
- Implement web application firewall (WAF) rules to detect and block payloads containing XWiki macro patterns in POST parameters
- Review user database for accounts with suspicious names containing scripting syntax or encoded characters
Monitoring Recommendations
- Enable verbose logging for the XWiki registration module to capture all registration attempts and their parameters
- Configure alerts for any server-side code execution indicators following user registration events
- Implement file integrity monitoring on XWiki configuration and content directories to detect unauthorized modifications
How to Mitigate CVE-2024-21650
Immediate Actions Required
- Upgrade XWiki Platform to version 14.10.17, 15.5.3, or 15.8 RC1 or later immediately
- If immediate patching is not possible, disable guest user registration until the patch can be applied
- Review recent user registrations for signs of exploitation attempts
Patch Information
XWiki has released security patches addressing this vulnerability. The fix modifies how user-provided names are handled in the registration success message by properly escaping the output and using safe rendering methods.
// Patched code - Source: GitHub Commit
<registrationSuccessMessage>#set($message = $services.localization.render('core.register.successful', 'xwiki/2.1', ['USERLINK', $userName]))
#set($userLink = $xwiki.getUserName("$userSpace$userName"))
{{info}}$message.replace('USERLINK', "{{html clean=false}}$userLink{{/html}}"){{/info}}</registrationSuccessMessage>
Source: GitHub Commit Update
For additional details, refer to the GitHub Security Advisory and XWiki Jira Issue XWIKI-21173.
Workarounds
- Disable user registration for guests by setting requireCaptcha and removing guest registration privileges in XWiki administration settings
- Implement network-level access controls to restrict access to the registration endpoint from untrusted sources
- Deploy a web application firewall with rules to filter XWiki macro syntax from user input fields
# Configuration example - Disable guest registration in xwiki.cfg
xwiki.authentication.guest=0
# Or restrict registration to authenticated users only in Administration > Users > Registration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
