PT-2024-36598 · Xwiki · Xwiki Platform
Manuelleduc
·
Published
2024-12-12
·
Updated
2025-02-26
·
CVE-2024-55879
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions 2.3 through 15.10.8
XWiki Platform versions 16.3.0 before the patch
Description
The issue allows any user with script rights to perform arbitrary remote code execution by adding instances of
XWiki.ConfigurableClass to any page, compromising the confidentiality, integrity, and availability of the whole XWiki installation.Recommendations
For XWiki Platform versions 2.3 through 15.10.8, upgrade to version 15.10.9.
For XWiki Platform versions 16.3.0 before the patch, upgrade to version 16.3.0 with the patch applied.
As a temporary workaround, consider restricting access to the
XWiki.ConfigurableClass to minimize the risk of exploitation.Exploit
Fix
RCE
Missing Authorization
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki Platform