I just installed XWiki on Debian following https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Installation/InstallationViaAPT/ using the xwiki-tomcat9-pgsql package.
After installation is finished, tomcat will start and bind to port 8080, as configured in server.xml of tomcat ( /etc/tomcat/server.xml ) lines 69-71.
<Connector port="8080" protocol="HTTP/1.1"
If installed on an internet-facing system, this will result in the DistributionWizard being available to the world by default, allowing an albeit small window of abuse of the DistributionWizard by a malicious actor.
A more prudent way would be to bind to localhost by default, e.g. by changing line 69 of server.xml to the following
<Connector port="8080" protocol="HTTP/1.1" address="127.0.0.1"
and adding instructions to the installation guide on how to finish the installation using SSH port forwarding, or to delete address="127.0.0.1" from server.xml with the notice that this will expose the DistributionWizard to the world.
Thanks & kind regards,