CVE-2024-43401

CVSS v4.0

9.4

Critical

Vector

AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 15.10RC1

Description A user without script or programming rights can trick a user with elevated rights to edit content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time.

Recommendations For versions prior to 15.10RC1, upgrade to XWiki 15.10RC1 or later to patch the vulnerability. As a temporary workaround, consider restricting the use of WYSIWYG editors for users with elevated rights until the patch is applied.

Exploit

Fix

Missing Authorization

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-269

Related Identifiers

CVE-2024-43401

GHSA-F963-4CQ8-2GW7

Affected Products

Xwiki Platform

CVE-2024-43401

Weakness Enumeration

Related Identifiers

Affected Products

References · 24