CVE-2024-55879

XWiki allows RCE from script right in configurable sections

Description

XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.

INFO

Published Date :

2024-12-12T19:17:38.138Z

Last Modified :

2024-12-13T14:54:21.161Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2024-55879 vulnerability.

Vendors	Products
Xwiki	Xwiki

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-55879.

URL	Resource
https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398
https://jira.xwiki.org/browse/XWIKI-21207

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact