Skip to Content

Wiki source code of XWiki Security Review

Version 7.3 by Agnease on 2026/05/22 14:17
Show last authors
1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 {{html clean="false"}}
4
5 ## PAGE HEADER
6 <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
7 <div class="container hero-inner">
8 <div class="hero-kicker">
9 <i class="fa fa-shield" aria-hidden="true"></i>
10 XWiki security review
11 </div>
12
13 <h1 id="hero-title">Security-aware review for XWiki production environments</h1>
14
15 <p class="lead">
16 Review XWiki versions, extensions, permissions, authentication, configuration and upgrade exposure
17 to identify practical security risks and define safer next steps.
18 </p>
19
20 <div class="hero-actions">
21 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
22 <a class="btn btn-secondary" href="#security-review-process">See the review approach</a>
23 </div>
24 </div>
25 </section>
26
27 ## WHY SECURITY REVIEW MATTERS
28 <section aria-labelledby="why-security-title">
29 <div class="container">
30 <h2 id="why-security-title">Why review the security of an XWiki instance?</h2>
31
32 <p class="section-intro">
33 XWiki often contains internal documentation, procedures, customer information, project knowledge,
34 workflows and restricted business data. Security depends not only on the XWiki version, but also on
35 extensions, authentication, user rights, scripting, configuration and operational practices.
36 </p>
37
38 <div class="pathways">
39 <article class="pathway-card">
40 <div class="pathway-icon">
41 <i class="fa fa-refresh" aria-hidden="true"></i>
42 </div>
43 <h3>Understand upgrade exposure</h3>
44 <p>
45 Older XWiki versions can miss important fixes, including security-related fixes that should be reviewed
46 against your current platform state.
47 </p>
48 <ul>
49 <li>Current version review</li>
50 <li>Upgrade gap assessment</li>
51 <li>LTS upgrade recommendations</li>
52 </ul>
53 </article>
54
55 <article class="pathway-card">
56 <div class="pathway-icon">
57 <i class="fa fa-key" aria-hidden="true"></i>
58 </div>
59 <h3>Review powerful rights</h3>
60 <p>
61 Rights such as admin, programming, script and edit rights can affect the security of the whole platform
62 when granted too broadly.
63 </p>
64 <ul>
65 <li>Admin and programming rights</li>
66 <li>Script and edit rights</li>
67 <li>Space and page permission inheritance</li>
68 </ul>
69 </article>
70
71 <article class="pathway-card">
72 <div class="pathway-icon">
73 <i class="fa fa-lock" aria-hidden="true"></i>
74 </div>
75 <h3>Check access boundaries</h3>
76 <p>
77 Authentication, group synchronization and permissions should match the real access boundaries expected
78 by the organization.
79 </p>
80 <ul>
81 <li>Authentication configuration</li>
82 <li>Group and user model</li>
83 <li>Restricted content visibility</li>
84 </ul>
85 </article>
86 </div>
87 </div>
88 </section>
89
90 ## COMMON REVIEW AREAS
91 <section class="services" aria-labelledby="review-areas-title">
92 <div class="container">
93 <h2 id="review-areas-title">Common security review areas</h2>
94
95 <p class="section-intro">
96 The review focuses on practical XWiki security risks that can affect real production environments,
97 especially older instances, customized platforms and installations with complex access control.
98 </p>
99
100 <div class="services-grid">
101 <article class="service">
102 <div class="service-icon" aria-hidden="true">
103 <i class="fa fa-code-fork"></i>
104 </div>
105 <div class="service-body">
106 <h4>XWiki version and upgrade status</h4>
107 <p>
108 Review of the current version, distance from supported releases, upgrade history and recommended update path.
109 </p>
110 </div>
111 </article>
112
113 <article class="service">
114 <div class="service-icon" aria-hidden="true">
115 <i class="fa fa-puzzle-piece"></i>
116 </div>
117 <div class="service-body">
118 <h4>Installed extensions</h4>
119 <p>
120 Review of installed extensions, compatibility concerns, outdated components and potentially sensitive features.
121 </p>
122 </div>
123 </article>
124
125 <article class="service">
126 <div class="service-icon" aria-hidden="true">
127 <i class="fa fa-user-secret"></i>
128 </div>
129 <div class="service-body">
130 <h4>Powerful user rights</h4>
131 <p>
132 Review of admin, programming, script, edit and application-related rights that may increase platform risk.
133 </p>
134 </div>
135 </article>
136
137 <article class="service">
138 <div class="service-icon" aria-hidden="true">
139 <i class="fa fa-sign-in"></i>
140 </div>
141 <div class="service-body">
142 <h4>Authentication configuration</h4>
143 <p>
144 Review of login method, LDAP/AD, SSO, OIDC, SAML, MFA, user creation and group synchronization behavior.
145 </p>
146 </div>
147 </article>
148
149 <article class="service">
150 <div class="service-icon" aria-hidden="true">
151 <i class="fa fa-lock"></i>
152 </div>
153 <div class="service-body">
154 <h4>Permissions and visibility</h4>
155 <p>
156 Review of access rights, inheritance, restricted spaces, public pages, hidden assumptions and permission complexity.
157 </p>
158 </div>
159 </article>
160
161 <article class="service">
162 <div class="service-icon" aria-hidden="true">
163 <i class="fa fa-server"></i>
164 </div>
165 <div class="service-body">
166 <h4>Configuration and deployment</h4>
167 <p>
168 Review of configuration choices, deployment assumptions, reverse proxy setup, attachments, logs and operational risks.
169 </p>
170 </div>
171 </article>
172 </div>
173 </div>
174 </section>
175
176 ## REVIEW APPROACH
177 <section id="security-review-process" class="split-section" aria-labelledby="process-title">
178 <div class="container">
179 <div class="split-grid">
180 <div class="split-copy">
181 <h2 id="process-title">A practical security review approach</h2>
182
183 <p>
184 The objective is to identify security-relevant risks that are specific to your XWiki setup, not to produce
185 a generic checklist. A useful review should consider the version, configuration, customizations, extensions,
186 users, groups and operational context together.
187 </p>
188
189 <p>
190 The review is handled carefully and responsibly. The goal is to provide actionable findings and safer
191 next steps without exposing sensitive vulnerability details unnecessarily or disrupting the production instance.
192 </p>
193 </div>
194
195 <ol class="process-list">
196 <li>
197 <strong>Review the current platform state</strong>
198 XWiki version, extensions, configuration, authentication, deployment model and known customizations.
199 </li>
200 <li>
201 <strong>Assess access and rights</strong>
202 User groups, powerful rights, permission inheritance, public visibility and restricted content areas.
203 </li>
204 <li>
205 <strong>Identify security-relevant risks</strong>
206 Version exposure, configuration issues, risky rights, outdated components or operational weaknesses.
207 </li>
208 <li>
209 <strong>Prioritize recommended actions</strong>
210 Classify findings by practical impact and define realistic remediation steps.
211 </li>
212 <li>
213 <strong>Plan follow-up improvements</strong>
214 Upgrade path, rights cleanup, authentication changes, extension updates or maintenance recommendations.
215 </li>
216 </ol>
217 </div>
218 </div>
219 </section>
220
221 ## WHAT CAN BE INCLUDED
222 <section aria-labelledby="included-title">
223 <div class="container">
224 <h2 id="included-title">What can be included</h2>
225
226 <p class="section-intro">
227 The scope can be adjusted depending on the sensitivity of the instance, the age of the platform,
228 the number of users and the complexity of the configuration.
229 </p>
230
231 <div class="widgets">
232 <article class="widget">
233 <div class="icon" aria-hidden="true">
234 <i class="fa fa-refresh"></i>
235 <h4>Version<br />review</h4>
236 </div>
237 <p>
238 Review of the current XWiki version, upgrade gap, supported version options and recommended upgrade path.
239 </p>
240 </article>
241
242 <article class="widget">
243 <div class="icon" aria-hidden="true">
244 <i class="fa fa-key"></i>
245 <h4>Rights<br />review</h4>
246 </div>
247 <p>
248 Review of admin, programming, script, edit and view rights across important spaces and user groups.
249 </p>
250 </article>
251
252 <article class="widget">
253 <div class="icon" aria-hidden="true">
254 <i class="fa fa-sign-in"></i>
255 <h4>Authentication<br />review</h4>
256 </div>
257 <p>
258 Review of LDAP, Active Directory, SSO, OIDC, SAML, MFA and user synchronization configuration.
259 </p>
260 </article>
261
262 <article class="widget">
263 <div class="icon" aria-hidden="true">
264 <i class="fa fa-file-text-o"></i>
265 <h4>Findings<br />report</h4>
266 </div>
267 <p>
268 Practical summary of findings, risks, recommended actions and follow-up priorities.
269 </p>
270 </article>
271 </div>
272 </div>
273 </section>
274
275 ## IMPORTANT CONSIDERATIONS
276 <section class="services" aria-labelledby="considerations-title">
277 <div class="container">
278 <h2 id="considerations-title">Important considerations</h2>
279
280 <p class="section-intro">
281 A security review should be practical, careful and aligned with the way the XWiki instance is actually used.
282 The purpose is to reduce risk, not to create unnecessary disruption or expose sensitive information.
283 </p>
284
285 <div class="services-grid">
286 <article class="service">
287 <div class="service-icon" aria-hidden="true">
288 <i class="fa fa-eye-slash"></i>
289 </div>
290 <div class="service-body">
291 <h4>Responsible vulnerability handling</h4>
292 <p>
293 Findings are communicated in a way that helps remediation without unnecessarily exposing exploit details.
294 </p>
295 </div>
296 </article>
297
298 <article class="service">
299 <div class="service-icon" aria-hidden="true">
300 <i class="fa fa-balance-scale"></i>
301 </div>
302 <div class="service-body">
303 <h4>Risk-based prioritization</h4>
304 <p>
305 Not all issues have the same impact. Recommendations are prioritized by practical exposure and business context.
306 </p>
307 </div>
308 </article>
309
310 <article class="service">
311 <div class="service-icon" aria-hidden="true">
312 <i class="fa fa-users"></i>
313 </div>
314 <div class="service-body">
315 <h4>User and group complexity</h4>
316 <p>
317 Directory synchronization, group mappings and rights inheritance can create hidden access-control risks.
318 </p>
319 </div>
320 </article>
321
322 <article class="service">
323 <div class="service-icon" aria-hidden="true">
324 <i class="fa fa-code"></i>
325 </div>
326 <div class="service-body">
327 <h4>Custom code and scripting</h4>
328 <p>
329 Custom applications, Velocity scripts, macros and extensions may require review when they affect security-sensitive behavior.
330 </p>
331 </div>
332 </article>
333
334 <article class="service">
335 <div class="service-icon" aria-hidden="true">
336 <i class="fa fa-refresh"></i>
337 </div>
338 <div class="service-body">
339 <h4>Upgrade as remediation</h4>
340 <p>
341 In many cases, the most effective security improvement is a controlled upgrade to a supported XWiki version.
342 </p>
343 </div>
344 </article>
345
346 <article class="service">
347 <div class="service-icon" aria-hidden="true">
348 <i class="fa fa-check-square-o"></i>
349 </div>
350 <div class="service-body">
351 <h4>Actionable next steps</h4>
352 <p>
353 The review should lead to clear remediation actions, not only a list of theoretical concerns.
354 </p>
355 </div>
356 </article>
357 </div>
358 </div>
359 </section>
360
361 ## RELATED SERVICES
362 <section class="resource-strip" aria-labelledby="related-title">
363 <div class="container">
364 <h2 id="related-title">Related XWiki services</h2>
365
366 <p class="section-intro">
367 Security review often connects naturally with upgrades, maintenance and access-control improvements.
368 </p>
369
370 <div class="resource-grid">
371 <article class="resource-card">
372 <h4>XWiki Upgrade Services</h4>
373 <p>
374 Safe LTS upgrades with staging validation, compatibility checks, rollback planning and post-upgrade verification.
375 </p>
376 <a href="$xwiki.getURL('services.xwiki-upgrades')">View upgrade services</a>
377 </article>
378
379 <article class="resource-card">
380 <h4>Authentication &amp; Access Control</h4>
381 <p>
382 LDAP, Active Directory, SSO, OIDC, SAML, MFA, group synchronization and permissions support.
383 </p>
384 <a href="$xwiki.getURL('services.xwiki-authentication-access-control')">View access control services</a>
385 </article>
386 </div>
387 </div>
388 </section>
389
390 ## CTA
391 <section class="cta-section" aria-labelledby="cta-title">
392 <div class="container">
393 <div class="cta-panel">
394 <h2 id="cta-title">Need a security review for your XWiki instance?</h2>
395
396 <p>
397 Send your current XWiki version, hosting model, authentication setup, approximate user/group structure
398 and any specific security concerns you want to address. A short description is enough to start the review.
399 </p>
400
401 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Request a security review</a>
402 </div>
403 </div>
404 </section>
405
406 {{/html}}
407 {{/velocity}}