CVE-2024-55877
XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
Severity Score
9.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-12-11 CVE Reserved
- 2024-12-12 CVE Published
- 2024-12-13 CVE Updated
- 2024-12-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3 | X_refsource_misc | |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c | X_refsource_confirm | |
https://jira.xwiki.org/browse/XWIKI-22030 | X_refsource_misc |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Xwiki Search vendor "Xwiki" | Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform" | >= 9.7.0 < 15.10.11 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 9.7.0 < 15.10.11" | en |
Affected
| ||||||
Xwiki Search vendor "Xwiki" | Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform" | >= 16.0.0 < 16.4.1 Search vendor "Xwiki" for product "Xwiki-platform" and version " >= 16.0.0 < 16.4.1" | en |
Affected
| ||||||
Xwiki Search vendor "Xwiki" | Xwiki-platform Search vendor "Xwiki" for product "Xwiki-platform" | 16.5.0 Search vendor "Xwiki" for product "Xwiki-platform" and version "16.5.0" | en |
Affected
|