XWiki Platform contains a missing authorization vulnerability (CWE-862) in the POST /wikis/{wikiName} API endpoint. In affected versions prior to 16.10.17, 17.4.9, 17.10.3, and 18.1.0-rc-1, this endpoint executes a XAR import operation without performing any authentication or authorization checks. This allows unauthenticated attackers to create or modify wiki documents arbitrarily. The vulnerability has been addressed by patches released in versions 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1.

An unauthenticated attacker can create or update documents in the target XWiki instance by exploiting the missing authorization check on the XAR import API. This can lead to unauthorized content modification, potentially impacting data integrity and trustworthiness of the wiki content. The CVSS 4.0 score of 9.3 reflects high impact due to network attack vector, no required privileges or user interaction, and high confidentiality, integrity, and availability impacts.

This vulnerability has been patched in XWiki Platform versions 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1. Users should upgrade to one of these fixed versions to remediate the issue. Patch status is confirmed by the vendor advisory embedded in the description. No additional mitigation steps are indicated beyond applying the official patches.