CVE-2024-43400

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

History

20 Aug 2024, 16:10

Type Values Removed Values Added
CWE CWE-79
CPE cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
References () https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c - () https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c - Patch
References () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v - () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v - Vendor Advisory
References () https://jira.xwiki.org/browse/XWIKI-21810 - () https://jira.xwiki.org/browse/XWIKI-21810 - Issue Tracking, Vendor Advisory
Summary
  • (es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Es posible que un usuario sin derechos de script o programación cree una URL que apunte a una página con JavaScript arbitrario. Esto requiere que un ingeniero social engañe al usuario para que siga la URL. Esto ha sido parcheado en XWiki 14.10.21, 15.5.5, 15.10.6 y 16.0.0.
CVSS v2 : unknown
v3 : 9.0
v2 : unknown
v3 : 5.4
First Time Xwiki
Xwiki xwiki

19 Aug 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-19 17:15

Updated : 2024-08-20 16:10


NVD link : CVE-2024-43400

Mitre link : CVE-2024-43400

CVE.ORG link : CVE-2024-43400


JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-96

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')