CVE-2024-55879

Published: Dec 12, 2024Modified: Apr 30, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.

Affected (2)

Products: Xwiki: Xwiki

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Xwiki Xwiki	From 2.3 to 15.10.9
Xwiki Xwiki	From 16.0.0 to 16.3.0

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d

Source: security-advisories@github.com

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr

Source: security-advisories@github.com

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-21207

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Not Applicable

Timeline

No history available yet.