Description

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5 and 14.3-rc-1. There is no known workaround, other than upgrading XWiki.

INFO

Published Date :

2024-12-12T18:53:49.491Z

Last Modified :

2024-12-16T18:08:43.496Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-55663 vulnerability.

Vendors Products
Xwiki
  • Xwiki
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-55663.

URL Resource
https://github.com/xwiki/xwiki-platform/commit/673076e2e8b88a36cdeaf7007843aa9ca1a068a0 cve-icon cve-icon
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398 cve-icon cve-icon
https://jira.xwiki.org/browse/XWIKI-17568 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact