PT-2024-27818 · Xwiki · Xwiki Platform
Michael Hamann
·
Published
2024-07-31
·
Updated
2024-09-06
·
CVE-2024-37901
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 14.10.21
XWiki Platform versions prior to 15.5.5
XWiki Platform versions prior to 15.10.2
Description
The issue allows any user with edit rights on any page to perform arbitrary remote code execution by adding instances of
XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity, and availability of the whole XWiki installation.Recommendations
For XWiki Platform versions prior to 14.10.21, upgrade to version 14.10.21 or later.
For XWiki Platform versions prior to 15.5.5, upgrade to version 15.5.5 or later.
For XWiki Platform versions prior to 15.10.2, upgrade to version 15.10.2 or later.
As a temporary workaround, consider restricting the ability to add instances of
XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass to user profiles or pages until a patch is applied.Exploit
Fix
RCE
Code Injection
Missing Authorization
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki Platform