CVE-2024-37901 – XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
https://notcve.org/view.php?id=CVE-2024-37901
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4 https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834 https://jira.xwiki.org/browse/XWIKI-21473 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-862: Missing Authorization •
CVE-2024-37900 – XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
https://notcve.org/view.php?id=CVE-2024-37900
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28 https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949 https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f https://jira.xwiki.org/browse/XWIKI-19602 https://jira.xwiki.org/browse/XWIKI-19611 https://jira.xwiki.org/browse& • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVE-2024-38369 – XWiki programming rights may be inherited by inclusion
https://notcve.org/view.php?id=CVE-2024-38369
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh • CWE-863: Incorrect Authorization •
CVE-2024-37899 – Disabling a user account changes its author, allowing RCE from user account in XWiki
https://notcve.org/view.php?id=CVE-2024-37899
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. • https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93 https://jira.xwiki.org/browse/XWIKI-21611 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-31997 – XWiki Platform remote code execution from account through UIExtension parameters
https://notcve.org/view.php?id=CVE-2024-31997
XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's own profile can create UI extensions. This allows remote code execution and thereby impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9-RC1. • https://github.com/xwiki/xwiki-platform/commit/171e7c7d0e56deaa7b3678657ae26ef95379b1ea https://github.com/xwiki/xwiki-platform/commit/1b2574eb966457ca4ef34e557376b8751d1be90d https://github.com/xwiki/xwiki-platform/commit/56748e154a9011f0d6239bec0823eaaeab6ec3f7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c2gg-4gq4-jv5j https://jira.xwiki.org/browse/XWIKI-21335 • CWE-862: Missing Authorization •