CVE-2024-55876
published 2024-12-12CVE-2024-55876: XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main…
PriorityP429medium5.4CVSS 3.1
AVNACLPRLUINSUCNILAL
EPSS
0.55%
42.1th percentile
XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 1.2.1 < 15.10.9 | 15.10.9 |
| xwiki | xwiki | >= 16.0.0 < 16.3.0 | 16.3.0 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
ghsa·2024-12-12
CVE-2024-55876 [MEDIUM] CWE-862 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
### Impact
Any user with an account on the main wiki could run scheduling operations on subwikis.
To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable.
### Patches
This has been patched in XWiki 15.10.9 and 16.3.0.
### Workarounds
If you have subwikis where the Job Scheduler is enabled, you can edit the objects on `Scheduler.WebPreferences` to match https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331#diff-8e274bd0065e319a34090339de6dfe56193144d15fd71c52c1be7272254728b4.
### References
OSV
XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
osv·2024-12-12
CVE-2024-55876 [MEDIUM] XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
### Impact
Any user with an account on the main wiki could run scheduling operations on subwikis.
To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable.
### Patches
This has been patched in XWiki 15.10.9 and 16.3.0.
### Workarounds
If you have subwikis where the Job Scheduler is enabled, you can edit the objects on `Scheduler.WebPreferences` to match https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331#diff-8e274bd0065e319a34090339de6dfe56193144d15fd71c52c1be7272254728b4.
### References
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-12
Published