← Back

CVE-2024-55876

nvd nist
Published: Dec 12, 2024Modified: Apr 30, 2025

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Exploitability: 2.8 / Impact: 2.5
Source: NVD

Description

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.

Affected (7)

Products: Xwiki: Xwiki
Xwiki
1 product
Xwiki
Configuration A
7 vulnerable
Vulnerable SoftwareAffected Versions
Xwiki
Xwiki
From 1.2.1 to 15.10.9
Xwiki
From 16.0.0 to 16.3.0
Xwiki
Version 1.2
Xwiki
Version 1.2 milestone2
Xwiki
Version 1.2 rc1
Xwiki
Version 1.2 rc2
Xwiki
Version 1.2 rc3

Related CWEs

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
ExploitVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitVendor Advisory

Timeline

No history available yet.