CVE-2024-21650

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.17 XWiki Platform versions prior to 15.5.3 XWiki Platform versions prior to 15.8 RC1

Description The issue is related to the user registration feature of the XWiki Platform, which is vulnerable to a remote code execution (RCE) attack. This allows an attacker to execute arbitrary code by crafting malicious payloads in the first name or last name fields during user registration. The vulnerability impacts all installations that have user registration enabled for guests. It is estimated that over 2,000 services are potentially affected, mainly distributed in Germany, the United States, and other countries.

Recommendations For XWiki Platform versions prior to 14.10.17, update to version 14.10.17 or later. For XWiki Platform versions prior to 15.5.3, update to version 15.5.3 or later. For XWiki Platform versions prior to 15.8 RC1, update to version 15.8 RC1 or later. As a temporary workaround, consider setting the "Registration Successful Message" to the provided code in the administration of your wiki, under "Users & Rights" > "Registration", to mitigate the risk of exploitation.