CVE-2024-37901

EPSS 7.42%
Published 31.07.2024 16:15:03
Last modified 06.09.2024 20:54:20
Source security-advisories@github.com
Teams watchlist Login
Open Login

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.

Affected products Warnungen 0 Metrics 3 CWE 3 References 9

Data is provided by the National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 9.2 < 14.10.21

Xwiki ≫ Xwiki Version >= 15.0 < 15.5.5

Xwiki ≫ Xwiki Version >= 15.6 < 15.10.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	7.42%	0.914

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b

Patch

https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e

Patch

https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4

Patch

https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-21473

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-37901

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-37901

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-37901

EUVD