Skip to Content

Changes for page XWiki Security Review

Last modified by Agnease on 2026/05/25 16:04
From version 7.4
edited by Agnease
on 2026/05/25 16:04
Change comment: There is no comment for this version
To version 3.1
edited by Agnease
on 2026/05/22 06:04
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -XWiki Security Review
1 +XWiki Security Review | Version, Rights and Configuration Checks
Content
... ... @@ -1,18 +1,27 @@
1 1  {{velocity}}
2 2  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 3  {{html clean="false"}}
4 +
4 4   ## PAGE HEADER
5 - <section class="hero hero-centered" aria-labelledby="hero-title">
6 + <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
6 6   <div class="container hero-inner">
7 7   <div class="hero-kicker">
8 8   <i class="fa fa-shield" aria-hidden="true"></i>
9 9   XWiki security review
10 10   </div>
12 +
11 11   <h1 id="hero-title">Security-aware review for XWiki production environments</h1>
14 +
12 12   <p class="lead">
13 - Review XWiki versions, extensions, permissions, authentication, configuration and upgrade exposure
14 - to identify practical security risks and define safer next steps.
16 + Understand the security posture of your XWiki instance by reviewing versions, extensions, rights,
17 + authentication, configuration and upgrade exposure.
15 15   </p>
19 +
20 + <p class="hero-support">
21 + We help organizations identify practical security risks in their XWiki platform and define a clear path
22 + toward safer operation, maintenance and upgrades.
23 + </p>
24 +
16 16   <div class="hero-actions">
17 17   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
18 18   <a class="btn btn-secondary" href="#security-review-process">See the review approach</a>
... ... @@ -19,281 +19,385 @@
19 19   </div>
20 20   </div>
21 21   </section>
31 +
22 22   ## WHY SECURITY REVIEW MATTERS
23 - #set ($securityReasonItems = [{
24 - 'title': 'Understand upgrade exposure',
25 - 'icon': 'refresh',
26 - 'content': 'Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed against your current platform state.',
27 - 'items': [
28 - 'Current version review',
29 - 'Upgrade gap assessment',
30 - 'LTS upgrade recommendations'
31 - ]
32 - },{
33 - 'title': 'Review powerful rights',
34 - 'icon': 'key',
35 - 'content': 'Rights such as admin, programming, script and edit rights can affect the security of the whole platform when granted too broadly.',
36 - 'items': [
37 - 'Admin and programming rights',
38 - 'Script and edit rights',
39 - 'Space and page permission inheritance'
40 - ]
41 - },{
42 - 'title': 'Check access boundaries',
43 - 'icon': 'lock',
44 - 'content': 'Authentication, group synchronization and permissions should match the real access boundaries expected by the organization.',
45 - 'items': [
46 - 'Authentication configuration',
47 - 'Group and user model',
48 - 'Restricted content visibility'
49 - ]
50 - }])
51 51   <section aria-labelledby="why-security-title">
52 52   <div class="container">
53 53   <h2 id="why-security-title">Why review the security of an XWiki instance?</h2>
36 +
54 54   <p class="section-intro">
55 55   XWiki often contains internal documentation, procedures, customer information, project knowledge,
56 56   workflows and restricted business data. Security depends not only on the XWiki version, but also on
57 57   extensions, authentication, user rights, scripting, configuration and operational practices.
58 58   </p>
42 +
59 59   <div class="pathways">
60 - #foreach ($entry in $securityReasonItems)
61 - <article class="pathway-card">
62 - <div class="card-heading">
63 - <div class="pathway-icon">
64 - <i class="fa fa-$entry.icon" aria-hidden="true"></i>
65 - </div>
66 - <h3>$entry.title</h3>
67 - </div>
68 - <p>$entry.content</p>
69 - <ul>
70 - #foreach ($item in $entry.items)
71 - <li>$item</li>
72 - #end
73 - </ul>
74 - </article>
75 - #end
44 + <article class="pathway-card">
45 + <div class="pathway-icon">
46 + <i class="fa fa-refresh" aria-hidden="true"></i>
47 + </div>
48 + <h3>Understand upgrade exposure</h3>
49 + <p>
50 + Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed
51 + against your current platform state.
52 + </p>
53 + <ul>
54 + <li>Current version review</li>
55 + <li>Upgrade gap assessment</li>
56 + <li>LTS upgrade recommendations</li>
57 + </ul>
58 + </article>
59 +
60 + <article class="pathway-card">
61 + <div class="pathway-icon">
62 + <i class="fa fa-key" aria-hidden="true"></i>
63 + </div>
64 + <h3>Review powerful rights</h3>
65 + <p>
66 + Rights such as admin, programming, script and edit rights can affect the security of the whole platform
67 + when granted too broadly.
68 + </p>
69 + <ul>
70 + <li>Admin and programming rights</li>
71 + <li>Script and edit rights</li>
72 + <li>Space and page permission inheritance</li>
73 + </ul>
74 + </article>
75 +
76 + <article class="pathway-card">
77 + <div class="pathway-icon">
78 + <i class="fa fa-lock" aria-hidden="true"></i>
79 + </div>
80 + <h3>Check access boundaries</h3>
81 + <p>
82 + Authentication, group synchronization and permissions should match the real access boundaries expected
83 + by the organization.
84 + </p>
85 + <ul>
86 + <li>Authentication configuration</li>
87 + <li>Group and user model</li>
88 + <li>Restricted content visibility</li>
89 + </ul>
90 + </article>
76 76   </div>
77 77   </div>
78 78   </section>
94 +
79 79   ## COMMON REVIEW AREAS
80 - #set ($securityReviewAreaItems = [{
81 - 'title': 'XWiki version and upgrade status',
82 - 'icon': 'code-fork',
83 - 'content': 'Review of the current version, distance from supported releases, upgrade history and recommended update path.'
84 - },{
85 - 'title': 'Installed extensions',
86 - 'icon': 'puzzle-piece',
87 - 'content': 'Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.'
88 - },{
89 - 'title': 'Powerful user rights',
90 - 'icon': 'user-secret',
91 - 'content': 'Review of admin, programming, script, edit and application-related rights that may increase platform risk.'
92 - },{
93 - 'title': 'Authentication configuration',
94 - 'icon': 'sign-in',
95 - 'content': 'Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.'
96 - },{
97 - 'title': 'Permissions and visibility',
98 - 'icon': 'lock',
99 - 'content': 'Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.'
100 - },{
101 - 'title': 'Configuration and deployment',
102 - 'icon': 'server',
103 - 'content': 'Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.'
104 - }])
105 105   <section class="services" aria-labelledby="review-areas-title">
106 106   <div class="container">
107 107   <h2 id="review-areas-title">Common security review areas</h2>
99 +
108 108   <p class="section-intro">
109 109   The review focuses on practical XWiki security risks that can affect real production environments,
110 110   especially older instances, customized platforms and installations with complex access control.
111 111   </p>
104 +
112 112   <div class="services-grid">
113 - #foreach ($entry in $securityReviewAreaItems)
114 - <article class="service">
115 - <div class="service-icon" aria-hidden="true">
116 - <i class="fa fa-$entry.icon"></i>
117 - </div>
118 - <div class="service-body">
119 - <h4>$entry.title</h4>
120 - <p>$entry.content</p>
121 - </div>
122 - </article>
123 - #end
106 + <article class="service">
107 + <div class="service-icon" aria-hidden="true">
108 + <i class="fa fa-code-fork"></i>
109 + </div>
110 + <div class="service-body">
111 + <h4>XWiki version and upgrade status</h4>
112 + <p>
113 + Review of the current version, distance from supported releases, upgrade history and recommended update path.
114 + </p>
115 + </div>
116 + </article>
117 +
118 + <article class="service">
119 + <div class="service-icon" aria-hidden="true">
120 + <i class="fa fa-puzzle-piece"></i>
121 + </div>
122 + <div class="service-body">
123 + <h4>Installed extensions</h4>
124 + <p>
125 + Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.
126 + </p>
127 + </div>
128 + </article>
129 +
130 + <article class="service">
131 + <div class="service-icon" aria-hidden="true">
132 + <i class="fa fa-user-secret"></i>
133 + </div>
134 + <div class="service-body">
135 + <h4>Powerful user rights</h4>
136 + <p>
137 + Review of admin, programming, script, edit and application-related rights that may increase platform risk.
138 + </p>
139 + </div>
140 + </article>
141 +
142 + <article class="service">
143 + <div class="service-icon" aria-hidden="true">
144 + <i class="fa fa-sign-in"></i>
145 + </div>
146 + <div class="service-body">
147 + <h4>Authentication configuration</h4>
148 + <p>
149 + Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.
150 + </p>
151 + </div>
152 + </article>
153 +
154 + <article class="service">
155 + <div class="service-icon" aria-hidden="true">
156 + <i class="fa fa-lock"></i>
157 + </div>
158 + <div class="service-body">
159 + <h4>Permissions and visibility</h4>
160 + <p>
161 + Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.
162 + </p>
163 + </div>
164 + </article>
165 +
166 + <article class="service">
167 + <div class="service-icon" aria-hidden="true">
168 + <i class="fa fa-server"></i>
169 + </div>
170 + <div class="service-body">
171 + <h4>Configuration and deployment</h4>
172 + <p>
173 + Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.
174 + </p>
175 + </div>
176 + </article>
124 124   </div>
125 125   </div>
126 126   </section>
180 +
127 127   ## REVIEW APPROACH
128 - #set ($securityReviewProcessItems = [{
129 - 'title': 'Review the current platform state',
130 - 'content': 'XWiki version, extensions, configuration, authentication, deployment model and known customizations.'
131 - },{
132 - 'title': 'Assess access and rights',
133 - 'content': 'User groups, powerful rights, permission inheritance, public visibility and restricted content areas.'
134 - },{
135 - 'title': 'Identify security-relevant risks',
136 - 'content': 'Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.'
137 - },{
138 - 'title': 'Prioritize recommended actions',
139 - 'content': 'Classify findings by practical impact and define realistic remediation steps.'
140 - },{
141 - 'title': 'Plan follow-up improvements',
142 - 'content': 'Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.'
143 - }])
144 144   <section id="security-review-process" class="split-section" aria-labelledby="process-title">
145 145   <div class="container">
146 146   <div class="split-grid">
147 147   <div class="split-copy">
148 148   <h2 id="process-title">A practical security review approach</h2>
187 +
149 149   <p>
150 150   The objective is to identify security-relevant risks that are specific to your XWiki setup, not to produce
151 151   a generic checklist. A useful review should consider the version, configuration, customizations, extensions,
152 152   users, groups and operational context together.
153 153   </p>
193 +
154 154   <p>
155 155   The review is handled carefully and responsibly. The goal is to provide actionable findings and safer
156 156   next steps without exposing sensitive vulnerability details unnecessarily or disrupting the production instance.
157 157   </p>
158 158   </div>
199 +
159 159   <ol class="process-list">
160 - #foreach ($entry in $securityReviewProcessItems)
161 - <li>
162 - <strong>$entry.title</strong>
163 - $entry.content
164 - </li>
165 - #end
201 + <li>
202 + <strong>Review the current platform state</strong>
203 + XWiki version, extensions, configuration, authentication, deployment model and known customizations.
204 + </li>
205 + <li>
206 + <strong>Assess access and rights</strong>
207 + User groups, powerful rights, permission inheritance, public visibility and restricted content areas.
208 + </li>
209 + <li>
210 + <strong>Identify security-relevant risks</strong>
211 + Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.
212 + </li>
213 + <li>
214 + <strong>Prioritize recommended actions</strong>
215 + Classify findings by practical impact and define realistic remediation steps.
216 + </li>
217 + <li>
218 + <strong>Plan follow-up improvements</strong>
219 + Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.
220 + </li>
166 166   </ol>
167 167   </div>
168 168   </div>
169 169   </section>
225 +
170 170   ## WHAT CAN BE INCLUDED
171 - #set ($securityIncludedItems = [{
172 - 'title': 'Version review',
173 - 'icon': 'refresh',
174 - 'content': 'Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.'
175 - },{
176 - 'title': 'Rights review',
177 - 'icon': 'key',
178 - 'content': 'Review of admin, programming, script, edit and view rights across important spaces and user groups.'
179 - },{
180 - 'title': 'Authentication review',
181 - 'icon': 'sign-in',
182 - 'content': 'Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.'
183 - },{
184 - 'title': 'Findings report',
185 - 'icon': 'file-text-o',
186 - 'content': 'Practical summary of findings, risks, recommended actions and follow-up priorities.'
187 - }])
188 188   <section aria-labelledby="included-title">
189 189   <div class="container">
190 190   <h2 id="included-title">What can be included</h2>
230 +
191 191   <p class="section-intro">
192 192   The scope can be adjusted depending on the sensitivity of the instance, the age of the platform,
193 193   the number of users and the complexity of the configuration.
194 194   </p>
235 +
195 195   <div class="widgets">
196 - #foreach ($entry in $securityIncludedItems)
197 - <article class="widget">
198 - <div class="icon" aria-hidden="true">
199 - <i class="fa fa-$entry.icon"></i>
200 - <h4>$entry.title</h4>
201 - </div>
202 - <p>$entry.content</p>
203 - </article>
204 - #end
237 + <article class="widget">
238 + <div class="icon" aria-hidden="true">
239 + <i class="fa fa-refresh"></i>
240 + <h4>Version<br />review</h4>
241 + </div>
242 + <p>
243 + Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.
244 + </p>
245 + </article>
246 +
247 + <article class="widget">
248 + <div class="icon" aria-hidden="true">
249 + <i class="fa fa-key"></i>
250 + <h4>Rights<br />review</h4>
251 + </div>
252 + <p>
253 + Review of admin, programming, script, edit and view rights across important spaces and user groups.
254 + </p>
255 + </article>
256 +
257 + <article class="widget">
258 + <div class="icon" aria-hidden="true">
259 + <i class="fa fa-sign-in"></i>
260 + <h4>Authentication<br />review</h4>
261 + </div>
262 + <p>
263 + Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.
264 + </p>
265 + </article>
266 +
267 + <article class="widget">
268 + <div class="icon" aria-hidden="true">
269 + <i class="fa fa-file-text-o"></i>
270 + <h4>Findings<br />report</h4>
271 + </div>
272 + <p>
273 + Practical summary of findings, risks, recommended actions and follow-up priorities.
274 + </p>
275 + </article>
205 205   </div>
206 206   </div>
207 207   </section>
279 +
208 208   ## IMPORTANT CONSIDERATIONS
209 - #set ($securityConsiderationItems = [{
210 - 'title': 'Responsible vulnerability handling',
211 - 'icon': 'eye-slash',
212 - 'content': 'Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.'
213 - },{
214 - 'title': 'Risk-based prioritization',
215 - 'icon': 'balance-scale',
216 - 'content': 'Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.'
217 - },{
218 - 'title': 'User and group complexity',
219 - 'icon': 'users',
220 - 'content': 'Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.'
221 - },{
222 - 'title': 'Custom code and scripting',
223 - 'icon': 'code',
224 - 'content': 'Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.'
225 - },{
226 - 'title': 'Upgrade as remediation',
227 - 'icon': 'refresh',
228 - 'content': 'In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.'
229 - },{
230 - 'title': 'Actionable next steps',
231 - 'icon': 'check-square-o',
232 - 'content': 'The review should lead to clear remediation actions, not only a list of theoretical concerns.'
233 - }])
234 234   <section class="services" aria-labelledby="considerations-title">
235 235   <div class="container">
236 236   <h2 id="considerations-title">Important considerations</h2>
284 +
237 237   <p class="section-intro">
238 238   A security review should be practical, careful and aligned with the way the XWiki instance is actually used.
239 239   The purpose is to reduce risk, not to create unnecessary disruption or expose sensitive information.
240 240   </p>
289 +
241 241   <div class="services-grid">
242 - #foreach ($entry in $securityConsiderationItems)
243 - <article class="service">
244 - <div class="service-icon" aria-hidden="true">
245 - <i class="fa fa-$entry.icon"></i>
246 - </div>
247 - <div class="service-body">
248 - <h4>$entry.title</h4>
249 - <p>$entry.content</p>
250 - </div>
251 - </article>
252 - #end
291 + <article class="service">
292 + <div class="service-icon" aria-hidden="true">
293 + <i class="fa fa-eye-slash"></i>
294 + </div>
295 + <div class="service-body">
296 + <h4>Responsible vulnerability handling</h4>
297 + <p>
298 + Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.
299 + </p>
300 + </div>
301 + </article>
302 +
303 + <article class="service">
304 + <div class="service-icon" aria-hidden="true">
305 + <i class="fa fa-balance-scale"></i>
306 + </div>
307 + <div class="service-body">
308 + <h4>Risk-based prioritization</h4>
309 + <p>
310 + Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.
311 + </p>
312 + </div>
313 + </article>
314 +
315 + <article class="service">
316 + <div class="service-icon" aria-hidden="true">
317 + <i class="fa fa-users"></i>
318 + </div>
319 + <div class="service-body">
320 + <h4>User and group complexity</h4>
321 + <p>
322 + Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.
323 + </p>
324 + </div>
325 + </article>
326 +
327 + <article class="service">
328 + <div class="service-icon" aria-hidden="true">
329 + <i class="fa fa-code"></i>
330 + </div>
331 + <div class="service-body">
332 + <h4>Custom code and scripting</h4>
333 + <p>
334 + Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.
335 + </p>
336 + </div>
337 + </article>
338 +
339 + <article class="service">
340 + <div class="service-icon" aria-hidden="true">
341 + <i class="fa fa-refresh"></i>
342 + </div>
343 + <div class="service-body">
344 + <h4>Upgrade as remediation</h4>
345 + <p>
346 + In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.
347 + </p>
348 + </div>
349 + </article>
350 +
351 + <article class="service">
352 + <div class="service-icon" aria-hidden="true">
353 + <i class="fa fa-check-square-o"></i>
354 + </div>
355 + <div class="service-body">
356 + <h4>Actionable next steps</h4>
357 + <p>
358 + The review should lead to clear remediation actions, not only a list of theoretical concerns.
359 + </p>
360 + </div>
361 + </article>
253 253   </div>
254 254   </div>
255 255   </section>
365 +
256 256   ## RELATED SERVICES
257 - #set ($relatedSecurityServiceItems = [{
258 - 'title': 'XWiki Upgrade Services',
259 - 'url': 'services.xwiki-upgrades',
260 - 'content': 'Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.',
261 - 'linkLabel': 'View upgrade services'
262 - },{
263 - 'title': 'Authentication & Access Control',
264 - 'url': 'services.xwiki-authentication-access-control',
265 - 'content': 'LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.',
266 - 'linkLabel': 'View access control services'
267 - }])
268 268   <section class="resource-strip" aria-labelledby="related-title">
269 269   <div class="container">
270 270   <h2 id="related-title">Related XWiki services</h2>
370 +
271 271   <p class="section-intro">
272 272   Security review often connects naturally with upgrades, maintenance and access-control improvements.
273 273   </p>
374 +
274 274   <div class="resource-grid">
275 - #foreach ($entry in $relatedSecurityServiceItems)
276 - <article class="resource-card">
277 - <h4>$entry.title</h4>
278 - <p>$entry.content</p>
279 - <a href="$xwiki.getURL($entry.url)">$entry.linkLabel</a>
280 - </article>
281 - #end
376 + <article class="resource-card">
377 + <h4>XWiki Upgrade Services</h4>
378 + <p>
379 + Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.
380 + </p>
381 + <a href="$xwiki.getURL('services.xwiki-upgrades')">View upgrade services</a>
382 + </article>
383 +
384 + <article class="resource-card">
385 + <h4>Authentication &amp; Access Control</h4>
386 + <p>
387 + LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.
388 + </p>
389 + <a href="$xwiki.getURL('services.xwiki-authentication-access-control')">View access control services</a>
390 + </article>
282 282   </div>
283 283   </div>
284 284   </section>
394 +
285 285   ## CTA
286 286   <section class="cta-section" aria-labelledby="cta-title">
287 287   <div class="container">
288 288   <div class="cta-panel">
289 289   <h2 id="cta-title">Need a security review for your XWiki instance?</h2>
400 +
290 290   <p>
291 291   Send your current XWiki version, hosting model, authentication setup, approximate user/group structure
292 292   and any specific security concerns you want to address. A short description is enough to start the review.
293 293   </p>
405 +
294 294   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
295 295   </div>
296 296   </div>
297 297   </section>
410 +
298 298  {{/html}}
299 299  {{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaTitle
... ... @@ -1,1 +1,0 @@
1 -XWiki Security Review for Versions, Rights and Configuration | Agnease