The template which comes with the installation media, xpart.vm, is a template for the installation of XWiki and cannot be used for creating new user accounts. Thus, one may either use a different template for user account creation, or overwrite the installation template by creating a new one. Note that the new installation template does not have to be named xpart.vm, but may be named anything. The installation template has the following content: ?xml version="1.0" ?> !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> html> head> title>XWiki - Wiki Platform/title> link rel="stylesheet" href="http://www.werkkzeug.org/styles/xwiki.css" type="text/css"> script type="text/javascript" src="http://www.werkkzeug.org/xwiki/js/xWiki.js">/script> script type="text/javascript" src="http://www.werkkzeug.org/xwiki/js/xWiki.jquery.js">/script> script type="text/javascript" src="http://www.werkkzeug.org/x

Installing the XWiki 4.0 Prerequisites

It is recommended to start by installing the XWiki 4.0 Prerequisites before installing the application itself.
The installation of the prerequisites is done by executing the x-prerequisites installer, which comes with the installation media.

Installing XWiki on Red Hat Enterprise Linux

First, log in to the server as the root user. The installation requires that the system be configured for x86_64 support.

Install xWiki with a new installation template

One can install xWiki with the help of a new installation template. This is done by providing the following command:
$ cd /tmp/xwiki/ $ bin/xpart create default xwiki-install-template.vm

Vulnerability details

CVE-2022-36093 is a vulnerability found in xpart.vm, which are the templates that come with installation media for XWiki. This vulnerability allows arbitrary code execution on the XWiki server by providing an XML external entity (XXE) attack vector. The XXE attack vector would allow an attacker to download arbitrary files and potentially install malware on the local server. This vulnerability was discovered by werkkzeug and published on May 29, 2017.

Timeline

Published on: 09/08/2022 18:15:00 UTC
Last modified on: 09/14/2022 15:25:00 UTC

References