CVE-2024-55662
published 2024-12-12CVE-2024-55662: XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension…
PriorityP353high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.75%
50.3th percentile
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 16.0.0 < 16.3.0 | 16.3.0 |
| xwiki | xwiki | >= 3.3 < 15.10.9 | 15.10.9 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki allows remote code execution through the extension sheet
osv·2024-12-12
CVE-2024-55662 [CRITICAL] XWiki allows remote code execution through the extension sheet
XWiki allows remote code execution through the extension sheet
### Impact
On instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server.
In order to reproduce on an instance, as a normal user without `script` nor `programming` rights, go to your profile and add an object of type `ExtensionCode.ExtensionClass`. Set the description to `{{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}}` and press `Save and View`. If the description displays as `Hello from Description` without any error, then the instance is vulnerable.
### Patches
This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0.
### Workarounds
Since `Extension Repository Application` is not mandatory, it can be safely dis
GHSA
XWiki allows remote code execution through the extension sheet
ghsa·2024-12-12
CVE-2024-55662 [CRITICAL] CWE-863 XWiki allows remote code execution through the extension sheet
XWiki allows remote code execution through the extension sheet
### Impact
On instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server.
In order to reproduce on an instance, as a normal user without `script` nor `programming` rights, go to your profile and add an object of type `ExtensionCode.ExtensionClass`. Set the description to `{{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}}` and press `Save and View`. If the description displays as `Hello from Description` without any error, then the instance is vulnerable.
### Patches
This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0.
### Workarounds
Since `Extension Repository Application` is not mandatory, it can be safely dis
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-12
Published