CVE-2024-55877

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 9.7-rc-1 through 15.10.10 XWiki Platform versions 16.4.0 through 16.4.0 XWiki Platform versions 16.5.0 and earlier

Description XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of XWiki.WikiMacroClass to any page. This compromises the confidentiality, integrity, and availability of the whole XWiki installation. The vulnerability has been fixed in XWiki 15.10.11, 16.4.1, and 16.5.0.

Recommendations For XWiki Platform versions 9.7-rc-1 through 15.10.10, update to version 15.10.11 or later. For XWiki Platform versions 16.4.0, update to version 16.4.1 or later. For XWiki Platform versions 16.5.0 and earlier, update to version 16.5.0 or later. As a temporary workaround, it is possible to manually apply the patch to the page XWiki.XWikiSyntaxMacrosList.