CVE-2024-37899

Disabling a user account changes its author, allowing RCE from user account in XWiki

Severity Score

9.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`.
As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

### Workarounds
We're not aware of any workaround except upgrading.

### References
* https://jira.xwiki.org/browse/XWIKI-21611
* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a

*Credits: N/A

CVSS Scores

GitHubv3.1 9.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-06-10 CVE Reserved
2024-06-20 CVE Published
2024-06-21 EPSS Updated
2024-08-13 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (3)

URL	Tag	Source
https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a	X_refsource_misc
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93	X_refsource_confirm
https://jira.xwiki.org/browse/XWIKI-21611	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform"				>= 13.4.7 <= 13.5 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 13.4.7 <= 13.5"		en		Affected
Xwiki Search vendor "Xwiki"		Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform"				>= 13.10.3 < 14.10.21 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 13.10.3 < 14.10.21"		en		Affected
Xwiki Search vendor "Xwiki"		Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform"				>= 15.0.0 < 15.5.5 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 15.0.0 < 15.5.5"		en		Affected
Xwiki Search vendor "Xwiki"		Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform"				>= 15.6.0 < 15.10.6 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 15.6.0 < 15.10.6"		en		Affected
Xwiki Search vendor "Xwiki"		Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform"				16.0.0 Search vendor "Xwiki" for product "Xwiki-platform" and version "16.0.0"		en		Affected