CVE-2024-37899

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.21 XWiki Platform versions prior to 15.5.5 XWiki Platform versions prior to 15.10.6 XWiki Platform versions prior to 16.0.0

Description The issue is related to incorrect privilege assignment in the XWiki Platform, allowing a remote attacker to execute arbitrary code. When an admin disables a user account, the user's profile is executed with the admin's rights, enabling a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce the issue, a user without script or programming rights can edit the about section of their user profile and add {{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}. Then, as an admin, go to the user profile and click the "Disable this account" button, and reload the page. If the logs show attacker - Hello from Groovy!, then the instance is vulnerable.

Recommendations To resolve the issue for versions prior to 14.10.21, upgrade to version 14.10.21 or later. To resolve the issue for versions prior to 15.5.5, upgrade to version 15.5.5 or later. To resolve the issue for versions prior to 15.10.6, upgrade to version 15.10.6 or later. To resolve the issue for versions prior to 16.0.0, upgrade to version 16.0.0 or later.