Advisories for Maven/Com.xwiki.confluencepro/Application-Confluence-Migrator-Pro-Ui package

The homepage of the application is public which enables a guest to download the package which might contain sensitive information.

A user that doesn't have programming rights can execute arbitrary code when creating a page using the Migration Page template. A possible attack vector is the following: Create a page and add the following content: confluencepro.job.question.advanced.input={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}} Use the object editor to add an object of type XWiki.TranslationDocumentClass with scope USER. Access an unexisting page using the MigrationTemplate http://localhost:8080/xwiki/bin/edit/Page123?template=ConfluenceMigratorPro.Code.MigrationTemplate It is expected that {{/html}} {{async …