[org.xwiki.platform:xwiki-platform-oldcore] Creation of new database tables through login form on PostgreSQL

Impact

It’s possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form.

Patches

The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2.

Workarounds

The only workarounds for this are:

• use an authenticator which does interpret the login as a reference to a document
• using a different database than PostgreSQL
• upgrade XWiki

References

https://jira.xwiki.org/browse/XWIKI-19886

For more information

If you have any questions or comments about this advisory:

• Open an issue in Jira XWiki.org
• Email us at Security Mailing List

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4x5r-6v26-7j4v
• https://github.com/advisories/GHSA-4x5r-6v26-7j4v