CVE-2024-55876

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 1.2-milestone-2 through 15.10.8 XWiki Platform versions 1.2-milestone-2 through 16.2.x

Description The issue allows any user with an account on the main wiki to run scheduling operations on subwikis. To reproduce, a user on the main wiki without any special right can view the document Scheduler.WebHome in a subwiki, then click on any operation (e.g., Trigger) on any job. If the operation is successful, the instance is vulnerable.

Recommendations For XWiki Platform versions 1.2-milestone-2 through 15.10.8, update to version 15.10.9 or later. For XWiki Platform versions 1.2-milestone-2 through 16.2.x, update to version 16.3.0 or later. As a temporary workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on Scheduler.WebPreferences to match the patch.