QwikSec

Security Database

CVE

CWE

Training

CVE-2024-37901

Published: Jul 31, 2024

Modified: Aug 13, 2024

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.

Vendor	Product	Versions
xwiki	xwiki-platform	affected `>= 15.6-rc-1, < 15.10.2` affected `>= 15.0-rc-1, < 15.5.5` affected `>= 9.2-rc-1, < 14.10.21`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b

x_refsource_MISC

https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e

x_refsource_MISC

https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4

x_refsource_MISC

https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21473

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.