PT-2024-5617 · Xwiki · Xwiki Platform
Pierre Jeanjean
·
Published
2024-07-31
·
Updated
2024-09-06
·
CVE-2024-37898
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 14.10.21
XWiki Platform versions prior to 15.5.5
XWiki Platform versions prior to 15.10.6
Description
The issue is related to a lack of authorization in the XWiki Platform, allowing a remote attacker to potentially execute arbitrary code. When a user has view but not edit rights on a page, they can delete the page and replace it with new content without having delete rights. The previous version of the page is moved into the recycle bin and can be restored by an admin. However, it does not seem possible to exploit this to gain any rights.
Recommendations
For versions prior to 14.10.21, update to version 14.10.21 or later.
For versions prior to 15.5.5, update to version 15.5.5 or later.
For versions prior to 15.10.6, update to version 15.10.6 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki Platform