QwikSec

Security Database

CVE

CWE

Training

CVE-2024-43401

Published: Aug 19, 2024

Modified: Aug 21, 2024

PUBLISHED

CVSS v3.1

9.1

CRITICAL

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.

Vendor	Product	Versions
xwiki	xwiki-platform	affected `< 15.10-rc-1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7

x_refsource_CONFIRM

https://jira.xwiki.org/browse/XWIKI-20331

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21311

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21481

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21482

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21483

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21484

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21485

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21486

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21487

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21488

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21489

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-21490

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.