Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-55877

XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.

Published

2024-12-12T20:15:21.350

Last Modified

2025-04-30T16:02:00.053

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-96
Type: Primary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 15.10.11	Yes
Application	xwiki	xwiki	< 16.4.1	Yes
Application	xwiki	xwiki	16.5.0	Yes

References

https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3 Patch ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-22030 Exploit, Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-22030 Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)