CVE-2024-37901
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
Severity Score
10.0
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-06-10 CVE Reserved
- 2024-07-31 CVE Published
- 2024-08-13 CVE Updated
- 2024-09-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- CWE-862: Missing Authorization
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 | X_refsource_confirm | |
| https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b | X_refsource_misc | |
| https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e | X_refsource_misc | |
| https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4 | X_refsource_misc | |
| https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834 | X_refsource_misc | |
| https://jira.xwiki.org/browse/XWIKI-21473 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Xwiki Search vendor "Xwiki" | Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform" | >= 15.6.0 < 15.10.2 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 15.6.0 < 15.10.2" | en |
Affected
| ||||||
| Xwiki Search vendor "Xwiki" | Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform" | >= 15.0.0 < 15.5.5 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 15.0.0 < 15.5.5" | en |
Affected
| ||||||
| Xwiki Search vendor "Xwiki" | Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform" | >= 9.2.0 < 14.10.21 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 9.2.0 < 14.10.21" | en |
Affected
| ||||||