CVE-2024-37901
published 2024-07-31CVE-2024-37901: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.06%
60.2th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 15.0 < 15.5.5 | 15.5.5 |
| xwiki | xwiki | >= 15.6 < 15.10.2 | 15.10.2 |
| xwiki | xwiki | >= 9.2 < 14.10.21 | 14.10.21 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
osv·2024-07-31
CVE-2024-37901 [CRITICAL] XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
### Impact
Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, as a user without script nor programming rights, add an object of type `XWiki.SearchSuggestConfig` to your profile page, and an object of type `XWiki.SearchSuggestSourceClass` as well. On this last object, set both `name` and `icon` properties to `$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess(
GHSA
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
ghsa·2024-07-31
CVE-2024-37901 [CRITICAL] CWE-862 XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
### Impact
Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, as a user without script nor programming rights, add an object of type `XWiki.SearchSuggestConfig` to your profile page, and an object of type `XWiki.SearchSuggestSourceClass` as well. On this last object, set both `name` and `icon` properties to `$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess(
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553bhttps://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64ehttps://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5https://jira.xwiki.org/browse/XWIKI-21473
2024-07-31
Published