CVE-2024-37901

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

History

06 Sep 2024, 20:54

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.9
v2 : unknown
v3 : 8.8
CWE CWE-94
First Time Xwiki xwiki
Xwiki
CPE cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
References () https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b - () https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b - Patch
References () https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e - () https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e - Patch
References () https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4 - () https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4 - Patch
References () https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834 - () https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834 - Patch
References () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 - () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 - Vendor Advisory
References () https://jira.xwiki.org/browse/XWIKI-21473 - () https://jira.xwiki.org/browse/XWIKI-21473 - Issue Tracking, Vendor Advisory

01 Aug 2024, 12:42

Type Values Removed Values Added
Summary
  • (es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Cualquier usuario con derecho de edición en cualquier página puede realizar la ejecución remota de código arbitrario agregando instancias de `XWiki.SearchSuggestConfig` y `XWiki.SearchSuggestSourceClass` a su perfil de usuario o a cualquier otra página. Esto compromete la confidencialidad, integridad y disponibilidad de toda la instalación de XWiki. Esta vulnerabilidad ha sido parcheada en XWiki 14.10.21, 15.5.5 y 15.10.2.

31 Jul 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-31 16:15

Updated : 2024-09-06 20:54


NVD link : CVE-2024-37901

Mitre link : CVE-2024-37901

CVE.ORG link : CVE-2024-37901


JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-862

Missing Authorization

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')