Skip to Content

Changes for page XWiki Security Review

Last modified by Agnease on 2026/05/25 16:04
From version 7.3
edited by Agnease
on 2026/05/22 14:17
Change comment: There is no comment for this version
To version 7.4
edited by Agnease
on 2026/05/25 16:04
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -1,22 +1,18 @@
1 1  {{velocity}}
2 2  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 3  {{html clean="false"}}
4 -
5 5   ## PAGE HEADER
6 - <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
5 + <section class="hero hero-centered" aria-labelledby="hero-title">
7 7   <div class="container hero-inner">
8 8   <div class="hero-kicker">
9 9   <i class="fa fa-shield" aria-hidden="true"></i>
10 10   XWiki security review
11 11   </div>
12 -
13 13   <h1 id="hero-title">Security-aware review for XWiki production environments</h1>
14 -
15 15   <p class="lead">
16 16   Review XWiki versions, extensions, permissions, authentication, configuration and upgrade exposure
17 17   to identify practical security risks and define safer next steps.
18 18   </p>
19 -
20 20   <div class="hero-actions">
21 21   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
22 22   <a class="btn btn-secondary" href="#security-review-process">See the review approach</a>
... ... @@ -23,385 +23,281 @@
23 23   </div>
24 24   </div>
25 25   </section>
26 -
27 27   ## WHY SECURITY REVIEW MATTERS
23 + #set ($securityReasonItems = [{
24 + 'title': 'Understand upgrade exposure',
25 + 'icon': 'refresh',
26 + 'content': 'Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed against your current platform state.',
27 + 'items': [
28 + 'Current version review',
29 + 'Upgrade gap assessment',
30 + 'LTS upgrade recommendations'
31 + ]
32 + },{
33 + 'title': 'Review powerful rights',
34 + 'icon': 'key',
35 + 'content': 'Rights such as admin, programming, script and edit rights can affect the security of the whole platform when granted too broadly.',
36 + 'items': [
37 + 'Admin and programming rights',
38 + 'Script and edit rights',
39 + 'Space and page permission inheritance'
40 + ]
41 + },{
42 + 'title': 'Check access boundaries',
43 + 'icon': 'lock',
44 + 'content': 'Authentication, group synchronization and permissions should match the real access boundaries expected by the organization.',
45 + 'items': [
46 + 'Authentication configuration',
47 + 'Group and user model',
48 + 'Restricted content visibility'
49 + ]
50 + }])
28 28   <section aria-labelledby="why-security-title">
29 29   <div class="container">
30 30   <h2 id="why-security-title">Why review the security of an XWiki instance?</h2>
31 -
32 32   <p class="section-intro">
33 33   XWiki often contains internal documentation, procedures, customer information, project knowledge,
34 34   workflows and restricted business data. Security depends not only on the XWiki version, but also on
35 35   extensions, authentication, user rights, scripting, configuration and operational practices.
36 36   </p>
37 -
38 38   <div class="pathways">
39 - <article class="pathway-card">
40 - <div class="pathway-icon">
41 - <i class="fa fa-refresh" aria-hidden="true"></i>
42 - </div>
43 - <h3>Understand upgrade exposure</h3>
44 - <p>
45 - Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed
46 - against your current platform state.
47 - </p>
48 - <ul>
49 - <li>Current version review</li>
50 - <li>Upgrade gap assessment</li>
51 - <li>LTS upgrade recommendations</li>
52 - </ul>
53 - </article>
54 -
55 - <article class="pathway-card">
56 - <div class="pathway-icon">
57 - <i class="fa fa-key" aria-hidden="true"></i>
58 - </div>
59 - <h3>Review powerful rights</h3>
60 - <p>
61 - Rights such as admin, programming, script and edit rights can affect the security of the whole platform
62 - when granted too broadly.
63 - </p>
64 - <ul>
65 - <li>Admin and programming rights</li>
66 - <li>Script and edit rights</li>
67 - <li>Space and page permission inheritance</li>
68 - </ul>
69 - </article>
70 -
71 - <article class="pathway-card">
72 - <div class="pathway-icon">
73 - <i class="fa fa-lock" aria-hidden="true"></i>
74 - </div>
75 - <h3>Check access boundaries</h3>
76 - <p>
77 - Authentication, group synchronization and permissions should match the real access boundaries expected
78 - by the organization.
79 - </p>
80 - <ul>
81 - <li>Authentication configuration</li>
82 - <li>Group and user model</li>
83 - <li>Restricted content visibility</li>
84 - </ul>
85 - </article>
60 + #foreach ($entry in $securityReasonItems)
61 + <article class="pathway-card">
62 + <div class="card-heading">
63 + <div class="pathway-icon">
64 + <i class="fa fa-$entry.icon" aria-hidden="true"></i>
65 + </div>
66 + <h3>$entry.title</h3>
67 + </div>
68 + <p>$entry.content</p>
69 + <ul>
70 + #foreach ($item in $entry.items)
71 + <li>$item</li>
72 + #end
73 + </ul>
74 + </article>
75 + #end
86 86   </div>
87 87   </div>
88 88   </section>
89 -
90 90   ## COMMON REVIEW AREAS
80 + #set ($securityReviewAreaItems = [{
81 + 'title': 'XWiki version and upgrade status',
82 + 'icon': 'code-fork',
83 + 'content': 'Review of the current version, distance from supported releases, upgrade history and recommended update path.'
84 + },{
85 + 'title': 'Installed extensions',
86 + 'icon': 'puzzle-piece',
87 + 'content': 'Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.'
88 + },{
89 + 'title': 'Powerful user rights',
90 + 'icon': 'user-secret',
91 + 'content': 'Review of admin, programming, script, edit and application-related rights that may increase platform risk.'
92 + },{
93 + 'title': 'Authentication configuration',
94 + 'icon': 'sign-in',
95 + 'content': 'Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.'
96 + },{
97 + 'title': 'Permissions and visibility',
98 + 'icon': 'lock',
99 + 'content': 'Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.'
100 + },{
101 + 'title': 'Configuration and deployment',
102 + 'icon': 'server',
103 + 'content': 'Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.'
104 + }])
91 91   <section class="services" aria-labelledby="review-areas-title">
92 92   <div class="container">
93 93   <h2 id="review-areas-title">Common security review areas</h2>
94 -
95 95   <p class="section-intro">
96 96   The review focuses on practical XWiki security risks that can affect real production environments,
97 97   especially older instances, customized platforms and installations with complex access control.
98 98   </p>
99 -
100 100   <div class="services-grid">
101 - <article class="service">
102 - <div class="service-icon" aria-hidden="true">
103 - <i class="fa fa-code-fork"></i>
104 - </div>
105 - <div class="service-body">
106 - <h4>XWiki version and upgrade status</h4>
107 - <p>
108 - Review of the current version, distance from supported releases, upgrade history and recommended update path.
109 - </p>
110 - </div>
111 - </article>
112 -
113 - <article class="service">
114 - <div class="service-icon" aria-hidden="true">
115 - <i class="fa fa-puzzle-piece"></i>
116 - </div>
117 - <div class="service-body">
118 - <h4>Installed extensions</h4>
119 - <p>
120 - Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.
121 - </p>
122 - </div>
123 - </article>
124 -
125 - <article class="service">
126 - <div class="service-icon" aria-hidden="true">
127 - <i class="fa fa-user-secret"></i>
128 - </div>
129 - <div class="service-body">
130 - <h4>Powerful user rights</h4>
131 - <p>
132 - Review of admin, programming, script, edit and application-related rights that may increase platform risk.
133 - </p>
134 - </div>
135 - </article>
136 -
137 - <article class="service">
138 - <div class="service-icon" aria-hidden="true">
139 - <i class="fa fa-sign-in"></i>
140 - </div>
141 - <div class="service-body">
142 - <h4>Authentication configuration</h4>
143 - <p>
144 - Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.
145 - </p>
146 - </div>
147 - </article>
148 -
149 - <article class="service">
150 - <div class="service-icon" aria-hidden="true">
151 - <i class="fa fa-lock"></i>
152 - </div>
153 - <div class="service-body">
154 - <h4>Permissions and visibility</h4>
155 - <p>
156 - Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.
157 - </p>
158 - </div>
159 - </article>
160 -
161 - <article class="service">
162 - <div class="service-icon" aria-hidden="true">
163 - <i class="fa fa-server"></i>
164 - </div>
165 - <div class="service-body">
166 - <h4>Configuration and deployment</h4>
167 - <p>
168 - Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.
169 - </p>
170 - </div>
171 - </article>
113 + #foreach ($entry in $securityReviewAreaItems)
114 + <article class="service">
115 + <div class="service-icon" aria-hidden="true">
116 + <i class="fa fa-$entry.icon"></i>
117 + </div>
118 + <div class="service-body">
119 + <h4>$entry.title</h4>
120 + <p>$entry.content</p>
121 + </div>
122 + </article>
123 + #end
172 172   </div>
173 173   </div>
174 174   </section>
175 -
176 176   ## REVIEW APPROACH
128 + #set ($securityReviewProcessItems = [{
129 + 'title': 'Review the current platform state',
130 + 'content': 'XWiki version, extensions, configuration, authentication, deployment model and known customizations.'
131 + },{
132 + 'title': 'Assess access and rights',
133 + 'content': 'User groups, powerful rights, permission inheritance, public visibility and restricted content areas.'
134 + },{
135 + 'title': 'Identify security-relevant risks',
136 + 'content': 'Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.'
137 + },{
138 + 'title': 'Prioritize recommended actions',
139 + 'content': 'Classify findings by practical impact and define realistic remediation steps.'
140 + },{
141 + 'title': 'Plan follow-up improvements',
142 + 'content': 'Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.'
143 + }])
177 177   <section id="security-review-process" class="split-section" aria-labelledby="process-title">
178 178   <div class="container">
179 179   <div class="split-grid">
180 180   <div class="split-copy">
181 181   <h2 id="process-title">A practical security review approach</h2>
182 -
183 183   <p>
184 184   The objective is to identify security-relevant risks that are specific to your XWiki setup, not to produce
185 185   a generic checklist. A useful review should consider the version, configuration, customizations, extensions,
186 186   users, groups and operational context together.
187 187   </p>
188 -
189 189   <p>
190 190   The review is handled carefully and responsibly. The goal is to provide actionable findings and safer
191 191   next steps without exposing sensitive vulnerability details unnecessarily or disrupting the production instance.
192 192   </p>
193 193   </div>
194 -
195 195   <ol class="process-list">
196 - <li>
197 - <strong>Review the current platform state</strong>
198 - XWiki version, extensions, configuration, authentication, deployment model and known customizations.
199 - </li>
200 - <li>
201 - <strong>Assess access and rights</strong>
202 - User groups, powerful rights, permission inheritance, public visibility and restricted content areas.
203 - </li>
204 - <li>
205 - <strong>Identify security-relevant risks</strong>
206 - Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.
207 - </li>
208 - <li>
209 - <strong>Prioritize recommended actions</strong>
210 - Classify findings by practical impact and define realistic remediation steps.
211 - </li>
212 - <li>
213 - <strong>Plan follow-up improvements</strong>
214 - Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.
215 - </li>
160 + #foreach ($entry in $securityReviewProcessItems)
161 + <li>
162 + <strong>$entry.title</strong>
163 + $entry.content
164 + </li>
165 + #end
216 216   </ol>
217 217   </div>
218 218   </div>
219 219   </section>
220 -
221 221   ## WHAT CAN BE INCLUDED
171 + #set ($securityIncludedItems = [{
172 + 'title': 'Version review',
173 + 'icon': 'refresh',
174 + 'content': 'Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.'
175 + },{
176 + 'title': 'Rights review',
177 + 'icon': 'key',
178 + 'content': 'Review of admin, programming, script, edit and view rights across important spaces and user groups.'
179 + },{
180 + 'title': 'Authentication review',
181 + 'icon': 'sign-in',
182 + 'content': 'Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.'
183 + },{
184 + 'title': 'Findings report',
185 + 'icon': 'file-text-o',
186 + 'content': 'Practical summary of findings, risks, recommended actions and follow-up priorities.'
187 + }])
222 222   <section aria-labelledby="included-title">
223 223   <div class="container">
224 224   <h2 id="included-title">What can be included</h2>
225 -
226 226   <p class="section-intro">
227 227   The scope can be adjusted depending on the sensitivity of the instance, the age of the platform,
228 228   the number of users and the complexity of the configuration.
229 229   </p>
230 -
231 231   <div class="widgets">
232 - <article class="widget">
233 - <div class="icon" aria-hidden="true">
234 - <i class="fa fa-refresh"></i>
235 - <h4>Version<br />review</h4>
236 - </div>
237 - <p>
238 - Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.
239 - </p>
240 - </article>
241 -
242 - <article class="widget">
243 - <div class="icon" aria-hidden="true">
244 - <i class="fa fa-key"></i>
245 - <h4>Rights<br />review</h4>
246 - </div>
247 - <p>
248 - Review of admin, programming, script, edit and view rights across important spaces and user groups.
249 - </p>
250 - </article>
251 -
252 - <article class="widget">
253 - <div class="icon" aria-hidden="true">
254 - <i class="fa fa-sign-in"></i>
255 - <h4>Authentication<br />review</h4>
256 - </div>
257 - <p>
258 - Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.
259 - </p>
260 - </article>
261 -
262 - <article class="widget">
263 - <div class="icon" aria-hidden="true">
264 - <i class="fa fa-file-text-o"></i>
265 - <h4>Findings<br />report</h4>
266 - </div>
267 - <p>
268 - Practical summary of findings, risks, recommended actions and follow-up priorities.
269 - </p>
270 - </article>
196 + #foreach ($entry in $securityIncludedItems)
197 + <article class="widget">
198 + <div class="icon" aria-hidden="true">
199 + <i class="fa fa-$entry.icon"></i>
200 + <h4>$entry.title</h4>
201 + </div>
202 + <p>$entry.content</p>
203 + </article>
204 + #end
271 271   </div>
272 272   </div>
273 273   </section>
274 -
275 275   ## IMPORTANT CONSIDERATIONS
209 + #set ($securityConsiderationItems = [{
210 + 'title': 'Responsible vulnerability handling',
211 + 'icon': 'eye-slash',
212 + 'content': 'Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.'
213 + },{
214 + 'title': 'Risk-based prioritization',
215 + 'icon': 'balance-scale',
216 + 'content': 'Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.'
217 + },{
218 + 'title': 'User and group complexity',
219 + 'icon': 'users',
220 + 'content': 'Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.'
221 + },{
222 + 'title': 'Custom code and scripting',
223 + 'icon': 'code',
224 + 'content': 'Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.'
225 + },{
226 + 'title': 'Upgrade as remediation',
227 + 'icon': 'refresh',
228 + 'content': 'In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.'
229 + },{
230 + 'title': 'Actionable next steps',
231 + 'icon': 'check-square-o',
232 + 'content': 'The review should lead to clear remediation actions, not only a list of theoretical concerns.'
233 + }])
276 276   <section class="services" aria-labelledby="considerations-title">
277 277   <div class="container">
278 278   <h2 id="considerations-title">Important considerations</h2>
279 -
280 280   <p class="section-intro">
281 281   A security review should be practical, careful and aligned with the way the XWiki instance is actually used.
282 282   The purpose is to reduce risk, not to create unnecessary disruption or expose sensitive information.
283 283   </p>
284 -
285 285   <div class="services-grid">
286 - <article class="service">
287 - <div class="service-icon" aria-hidden="true">
288 - <i class="fa fa-eye-slash"></i>
289 - </div>
290 - <div class="service-body">
291 - <h4>Responsible vulnerability handling</h4>
292 - <p>
293 - Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.
294 - </p>
295 - </div>
296 - </article>
297 -
298 - <article class="service">
299 - <div class="service-icon" aria-hidden="true">
300 - <i class="fa fa-balance-scale"></i>
301 - </div>
302 - <div class="service-body">
303 - <h4>Risk-based prioritization</h4>
304 - <p>
305 - Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.
306 - </p>
307 - </div>
308 - </article>
309 -
310 - <article class="service">
311 - <div class="service-icon" aria-hidden="true">
312 - <i class="fa fa-users"></i>
313 - </div>
314 - <div class="service-body">
315 - <h4>User and group complexity</h4>
316 - <p>
317 - Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.
318 - </p>
319 - </div>
320 - </article>
321 -
322 - <article class="service">
323 - <div class="service-icon" aria-hidden="true">
324 - <i class="fa fa-code"></i>
325 - </div>
326 - <div class="service-body">
327 - <h4>Custom code and scripting</h4>
328 - <p>
329 - Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.
330 - </p>
331 - </div>
332 - </article>
333 -
334 - <article class="service">
335 - <div class="service-icon" aria-hidden="true">
336 - <i class="fa fa-refresh"></i>
337 - </div>
338 - <div class="service-body">
339 - <h4>Upgrade as remediation</h4>
340 - <p>
341 - In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.
342 - </p>
343 - </div>
344 - </article>
345 -
346 - <article class="service">
347 - <div class="service-icon" aria-hidden="true">
348 - <i class="fa fa-check-square-o"></i>
349 - </div>
350 - <div class="service-body">
351 - <h4>Actionable next steps</h4>
352 - <p>
353 - The review should lead to clear remediation actions, not only a list of theoretical concerns.
354 - </p>
355 - </div>
356 - </article>
242 + #foreach ($entry in $securityConsiderationItems)
243 + <article class="service">
244 + <div class="service-icon" aria-hidden="true">
245 + <i class="fa fa-$entry.icon"></i>
246 + </div>
247 + <div class="service-body">
248 + <h4>$entry.title</h4>
249 + <p>$entry.content</p>
250 + </div>
251 + </article>
252 + #end
357 357   </div>
358 358   </div>
359 359   </section>
360 -
361 361   ## RELATED SERVICES
257 + #set ($relatedSecurityServiceItems = [{
258 + 'title': 'XWiki Upgrade Services',
259 + 'url': 'services.xwiki-upgrades',
260 + 'content': 'Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.',
261 + 'linkLabel': 'View upgrade services'
262 + },{
263 + 'title': 'Authentication & Access Control',
264 + 'url': 'services.xwiki-authentication-access-control',
265 + 'content': 'LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.',
266 + 'linkLabel': 'View access control services'
267 + }])
362 362   <section class="resource-strip" aria-labelledby="related-title">
363 363   <div class="container">
364 364   <h2 id="related-title">Related XWiki services</h2>
365 -
366 366   <p class="section-intro">
367 367   Security review often connects naturally with upgrades, maintenance and access-control improvements.
368 368   </p>
369 -
370 370   <div class="resource-grid">
371 - <article class="resource-card">
372 - <h4>XWiki Upgrade Services</h4>
373 - <p>
374 - Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.
375 - </p>
376 - <a href="$xwiki.getURL('services.xwiki-upgrades')">View upgrade services</a>
377 - </article>
378 -
379 - <article class="resource-card">
380 - <h4>Authentication &amp; Access Control</h4>
381 - <p>
382 - LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.
383 - </p>
384 - <a href="$xwiki.getURL('services.xwiki-authentication-access-control')">View access control services</a>
385 - </article>
275 + #foreach ($entry in $relatedSecurityServiceItems)
276 + <article class="resource-card">
277 + <h4>$entry.title</h4>
278 + <p>$entry.content</p>
279 + <a href="$xwiki.getURL($entry.url)">$entry.linkLabel</a>
280 + </article>
281 + #end
386 386   </div>
387 387   </div>
388 388   </section>
389 -
390 390   ## CTA
391 391   <section class="cta-section" aria-labelledby="cta-title">
392 392   <div class="container">
393 393   <div class="cta-panel">
394 394   <h2 id="cta-title">Need a security review for your XWiki instance?</h2>
395 -
396 396   <p>
397 397   Send your current XWiki version, hosting model, authentication setup, approximate user/group structure
398 398   and any specific security concerns you want to address. A short description is enough to start the review.
399 399   </p>
400 -
401 401   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
402 402   </div>
403 403   </div>
404 404   </section>
405 -
406 406  {{/html}}
407 407  {{/velocity}}