Skip to main content

Exposure of Resource to Wrong Sphere


Severity High
Score 7.5/10


APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. In versions prior to 12.6.7 and 12.7-rc-1 prior to 12.10.3, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

  • HIGH
  • HIGH
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-668 - Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Advisory Timeline

  • Published