Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-38369

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.

Published

2024-06-24T17:15:10.593

Last Modified

2024-11-21T09:25:28.967

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-863
Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 15.0	Yes

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)