[CRITICAL] Authenticated server side code execution without programming rights on User Dashboards

Dear XWiki users/admins,

We have found and fixed an important security issue. It’s referenced as CVE-2020-11057. See https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmp6-jjg8-9424 for details of the attack and the risks.

We urge you to upgrade your XWiki instance to versions later than 11.10.3 & 12.0:

  • if you’re on the LTS, please upgrade to the latest, which is 11.10.5.
  • If you’re on the 12.x cycle, please upgrade to 12.3.

Checking https://www.xwiki.org/xwiki/bin/view/ActiveInstalls/XWikiVersions we can see that we have a lot of XWiki instances still using versions older than 11.10.3 (3777 instances to be exact).

We apologize for the inconvenience.

The XWiki Development Team