CVE-2024-38369

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.
Configurations

Configuration 1 (hide)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:25

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.3
v2 : unknown
v3 : 9.9
References () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh - Vendor Advisory () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh - Vendor Advisory

26 Jun 2024, 14:47

Type Values Removed Values Added
First Time Xwiki
Xwiki xwiki
References () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh - () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh - Vendor Advisory
Summary
  • (es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. El contenido de un documento incluido usando `{{include reference="targetdocument"/}}` se ejecuta con el derecho del incluidor y no con el derecho de su autor. Esto significa que cualquier usuario capaz de modificar el documento de destino puede hacerse pasar por el autor del contenido que utilizó la macro "incluir". Esta vulnerabilidad se ha solucionado en XWiki 15.0 RC1 haciendo que el comportamiento predeterminado sea seguro.
CPE cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 9.9
v2 : unknown
v3 : 4.3

24 Jun 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-24 17:15

Updated : 2024-11-21 09:25


NVD link : CVE-2024-38369

Mitre link : CVE-2024-38369

CVE.ORG link : CVE-2024-38369


JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-863

Incorrect Authorization