<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>XWiki Platform Old Core (&lt; 17.10.5) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/xwiki-platform-old-core--17.10.5/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 13:15:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/xwiki-platform-old-core--17.10.5/feed.xml" rel="self" type="application/rss+xml"/><item><title>XWiki Platform Old Core Path Traversal via /skin/ Endpoint (CVE-2026-34151)</title><link>https://feed.craftedsignal.io/briefs/2026-07-xwiki-path-traversal/</link><pubDate>Tue, 07 Jul 2026 13:15:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-xwiki-path-traversal/</guid><description>An attacker can exploit CVE-2026-34151, a path traversal vulnerability in XWiki Platform Old Core through the `/skin/` action endpoint when hosted on Jetty 12+. This allows unauthenticated users to craft URLs to access and download arbitrary files on the server, such as `/etc/passwd` or sensitive XWiki configuration files (e.g., `xwiki.cfg`), potentially leading to information disclosure and further system compromise.</description><content:encoded><![CDATA[<p>CVE-2026-34151 identifies a critical path traversal vulnerability affecting XWiki Platform Old Core versions prior to 17.10.5 and between 18.0.0-rc-1 and 18.2.0, specifically when deployed on Jetty 12+ application servers. This flaw allows unauthenticated attackers to construct specially crafted URLs that, when processed by the vulnerable XWiki instance, can bypass directory restrictions. This enables access to any file on the underlying operating system that the Jetty process has permissions to read, including sensitive system files like <code>/etc/passwd</code> or application-specific configuration files such as <code>xwiki.cfg</code> and Hibernate settings. The vulnerability poses a significant information disclosure risk, as it could expose critical system and application data, potentially leading to further reconnaissance, credential harvesting, or escalation of privileges by a threat actor.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An unauthenticated attacker sends an HTTP GET request to the vulnerable XWiki application's <code>/xwiki/bin/skin/</code> endpoint.</li>
<li><strong>Payload Crafting:</strong> The attacker embeds double URL-encoded path traversal sequences (<code>..%252f</code>) within the URL path following the <code>/skin/</code> action.</li>
<li><strong>Targeting Sensitive Files:</strong> The crafted URL aims to traverse directories to reach sensitive files, such as <code>http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd</code> for system files or <code>http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg</code> for application configuration files.</li>
<li><strong>Application Processing:</strong> The XWiki application, running on Jetty 12+, processes the request to the <code>/skin/</code> endpoint.</li>
<li><strong>Path Traversal Execution:</strong> Due to the vulnerability, Jetty 12+ misinterprets the encoded path traversal sequences, allowing the application to access resources outside its intended web application directory.</li>
<li><strong>File Retrieval:</strong> The web server retrieves the content of the targeted file (e.g., <code>/etc/passwd</code>, <code>xwiki.cfg</code>) from the file system.</li>
<li><strong>Data Disclosure:</strong> The server responds to the attacker with the contents of the sensitive file, revealing potentially critical system or application information.</li>
<li><strong>Impact:</strong> This leads to information disclosure, which can be used for reconnaissance, identifying user accounts, understanding application architecture, or finding credentials for subsequent attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-34151 can lead to severe information disclosure. Attackers can access any file on the server that the Jetty instance has read permissions for, including operating system files like <code>/etc/passwd</code>, revealing local user accounts and system configuration. More critically, it allows access to sensitive XWiki and Hibernate configuration files (e.g., <code>xwiki.cfg</code>), which often contain database connection strings, API keys, and other proprietary application settings. This information can be leveraged for further attacks, such as database compromise, privilege escalation, or lateral movement within the network. There are no reported victim counts, but any organization running affected XWiki versions on Jetty 12+ is at risk across all sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-34151:</strong> Immediately upgrade XWiki Platform Old Core to version 17.10.5 or 18.2.0 or later to remediate CVE-2026-34151.</li>
<li><strong>Deploy Detection Rule:</strong> Deploy the provided Sigma rule &quot;Detects CVE-2026-34151 Exploitation — XWiki Path Traversal&quot; to your SIEM solution to identify attempts to exploit this vulnerability.</li>
<li><strong>Monitor Webserver Logs:</strong> Configure web server logging for HTTP requests to capture full URIs and query strings, specifically for unusual access patterns to the <code>/xwiki/bin/skin/</code> endpoint containing <code>..%252f</code> or similar encoded path traversal sequences.</li>
<li><strong>Implement Workarounds (if patching is not immediate):</strong> As a temporary measure, consider migrating XWiki to an application server other than Jetty 12+, such as Tomcat or an older version of Jetty (&lt; 12), as these are not impacted by this specific vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>path-traversal</category><category>web-vulnerability</category><category>xwiki</category><category>jetty</category><category>cve</category><category>information-disclosure</category><category>platform:network</category></item></channel></rss>