CVE-2022-24821
published 2022-04-08CVE-2022-24821: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without…
PriorityP345high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.79%
51.7th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| composer | composer | >= 0 < 1.0.0~beta2-1ubuntu0.1~esm2 | 1.0.0~beta2-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 1.6.3-1ubuntu0.1~esm2 | 1.6.3-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 1.10.1-1ubuntu0.1~esm2 | 1.10.1-1ubuntu0.1~esm2 |
| composer | composer | >= 0 < 2.2.6-2ubuntu4+esm1 | 2.2.6-2ubuntu4+esm1 |
| composer | composer | >= 0 < 2.7.1-2ubuntu0.1~esm1 | 2.7.1-2ubuntu0.1~esm1 |
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 12.0.0 < 12.10.11 | 12.10.11 |
| xwiki | xwiki | >= 13.4.0 < 13.4.6 | 13.4.6 |
| xwiki | xwiki-platform | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
composer vulnerabilities
osv·2025-06-30·CVSS 8.8
CVE-2022-24828 composer vulnerabilities
composer vulnerabilities
Thomas Chauchefoin discovered that Composer did not correctly handle
certain arguments. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-24828, CVE-2023-43655)
Ed Cradock discovered that Composer did not correctly handle the exclusion
of certain files. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24821)
Martin Haunschmid discovered that Composer did not correctly handle git
branch names. An attacker could possibly use this issue to execute
arbitrary code. (CVE-2024-35241)
Maciej Piechota discovered that Composer did not correctly handle VCS
branch names. An
GHSA
Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
ghsa·2022-04-08
CVE-2022-24821 [MEDIUM] CWE-648 Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
### Impact
Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those.
### Patches
This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6.
### Workarounds
There's no easy workaround for this issue, administrators should upgrade their wiki.
### References
https://jira.xwiki.org/browse/XWIKI-19155
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwiki.org)
* Email us at [XWiki Security ML](mailto:[email protected])
OSV
Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
osv·2022-04-08
CVE-2022-24821 [MEDIUM] Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
### Impact
Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those.
### Patches
This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6.
### Workarounds
There's no easy workaround for this issue, administrators should upgrade their wiki.
### References
https://jira.xwiki.org/browse/XWIKI-19155
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwiki.org)
* Email us at [XWiki Security ML](mailto:[email protected])
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-08
Published