Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-37901

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.

Published

2024-07-31T16:15:03.683

Last Modified

2024-09-06T20:54:20.857

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-95
CWE-862
Type: Primary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 14.10.21	Yes
Application	xwiki	xwiki	< 15.5.5	Yes
Application	xwiki	xwiki	< 15.10.2	Yes

References

https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b Patch ([email protected])
https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e Patch ([email protected])
https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4 Patch ([email protected])
https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834 Patch ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-21473 Issue Tracking, Vendor Advisory ([email protected])