CVE-2025-24893: XWiki Platform allows remote code execution as guest via SolrSearchMacros request

The vulnerability allows remote code execution via a crafted 'text' parameter in a request to Main/SolrSearch when media=rss. The core issue lies in how the RSS feed content, which includes this user input, is rendered.

The commit 67021db9b8ed26c2236a653269302a86bf01ef40 patches this by modifying Main/SolrSearchMacros.xml.

1. The outputRSSFeed macro within Main.SolrSearchMacros.xml was directly outputting the feed content using $xwiki.feed.getFeedOutput($feed, 'rss_2.0'). This direct output allowed the XWiki rendering engine to process any embedded scripts (like Groovy macros) within the feed content that originated from the user's 'text' parameter. This is where the vulnerability (unsafe rendering sink) was located. The patch changes this to use a new #rawResponse macro, which explicitly sets the content type and writes the data raw, crucially calling $xcontext.setFinished(true) to prevent further rendering and script execution.
2. The handleSolrSearchRequest macro, also in Main.SolrSearchMacros.xml, is responsible for handling the incoming request. It takes the request.text (user input) and uses it to create the feed via $services.search.solr.createFeed(...). This feed is then passed to outputRSSFeed. Therefore, handleSolrSearchRequest is the function that processes the potentially malicious input and directs it to the vulnerable rendering logic in outputRSSFeed.

Both macros are identified: outputRSSFeed for containing the vulnerable rendering code and handleSolrSearchRequest for processing the malicious input and calling the vulnerable rendering part. The names provided are the Velocity macro names, which are the most precise identifiers in this context.