A critical SQL injection vulnerability, rated CVSS 10, has been identified in the XWiki Full Calendar Macro. This flaw allows any user, including unauthenticated guest users, to directly interact with the application's database, enabling them to steal sensitive information or trigger a denial-of-service (DoS) attack. Due to the ease of exploitation and severe potential impact, immediate remediation is required to prevent a full system compromise.

The vulnerability exists within the Calendar.JSONService page of the XWiki Full Calendar Macro. This service fails to properly sanitize user-supplied input before using it to construct a SQL query. An unauthenticated attacker can send a specially crafted request to this page, injecting malicious SQL commands that will be executed by the back-end database. This allows the attacker to bypass all application-level security and gain direct access to the database to read, modify, or delete data, as well as execute commands that could overload the database, causing a denial-of-service condition.

This vulnerability is of critical severity with a CVSS score of 10, posing an extreme risk to the organization. Successful exploitation could lead to a catastrophic data breach, resulting in the exfiltration of all data stored within the XWiki instance, including proprietary documents, user credentials, personally identifiable information (PII), and other confidential data. Furthermore, the ability to trigger a DoS attack could render the XWiki platform completely unavailable, disrupting critical business operations that rely on it. The potential consequences include severe financial loss, regulatory fines for non-compliance (e.g., GDPR), significant reputational damage, and a complete loss of data integrity.

Immediate Action: Immediately apply the security patch by following the vendor's recommendation: Update XWiki Full Calendar Macro displays objects from the wiki on the Multiple Products to the latest version (2.4.5 or newer). After patching, monitor for any continued exploitation attempts and review historical access logs for indicators of compromise prior to the update.

Proactive Monitoring:

• Review web server and application logs for requests to the Calendar.JSONService page, specifically searching for suspicious patterns, SQL keywords (SELECT, UNION, ', --), or encoded characters in the request parameters.
• Monitor database logs for unusual or long-running queries originating from the XWiki application's service account.
• Implement alerts for high CPU or memory utilization on the database and web server, which could indicate an ongoing DoS attack.

Compensating Controls: If immediate patching is not feasible, implement the following controls as a temporary measure:

• Web Application Firewall (WAF): Deploy a WAF with a strict ruleset designed to detect and block SQL injection attack patterns.
• Access Restriction: If possible, configure your web server or a reverse proxy to block all external access to the vulnerable Calendar.JSONService page.
• Database Activity Monitoring (DAM): Use a DAM tool to monitor, alert on, and potentially block anomalous queries against the XWiki database.

Public Exploit Available: False

This vulnerability represents a clear and present danger to the organization. Given its critical severity (CVSS 10) and the ability for unauthenticated attackers to achieve full database compromise, immediate action is mandatory. All affected instances of the XWiki Full Calendar Macro must be updated to version 2.4.5 or later on an emergency basis. Due to its severity, this vulnerability is a prime candidate for future inclusion in the CISA KEV catalog, and organizations should prioritize its remediation above all other routine patching activities.