[CRITICAL] Authenticated server side code execution without programming rights on User Dashboards

Dear XWiki users/admins,

We have found and fixed an important security issue. It’s referenced as CVE-2020-11057. See Authenticated server side code execution without programming rights on User Dashboards · Advisory · xwiki/xwiki-platform · GitHub for details of the attack and the risks.

We urge you to upgrade your XWiki instance to versions later than 11.10.3 & 12.0:

  • if you’re on the LTS, please upgrade to the latest, which is 11.10.5.
  • If you’re on the 12.x cycle, please upgrade to 12.3.

Checking https://www.xwiki.org/xwiki/bin/view/ActiveInstalls/XWikiVersions we can see that we have a lot of XWiki instances still using versions older than 11.10.3 (3777 instances to be exact).

We apologize for the inconvenience.

The XWiki Development Team