9.9

CVE-2024-31987

Exploit

XWiki Platform remote code execution from account via custom skins support

XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. No known workarounds are available except for upgrading.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
XwikiXwiki Version >= 6.4 < 14.10.19
XwikiXwiki Version >= 15.0 < 15.5.4
XwikiXwiki Version >= 15.6 < 15.10
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.45% 0.699
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 9.9 3.1 6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39
Patch
https://github.com/xwiki/xwiki-platform/commit/626d2a5dbf95b4e719ae13bf1a0a9c76e4edd5a2
Patch
https://github.com/xwiki/xwiki-platform/commit/da177c3c972e797d92c1a31e278f946012c41b56
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cv55-v6rw-7r5v
Vendor Advisory
Exploit
https://jira.xwiki.org/browse/XWIKI-21478
Vendor Advisory
Exploit