CVE-2024-37901 - OpenCVE

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Xwiki	Xwiki

Configuration 1 [-]

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

No data.

References

Link	Providers
https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b
https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e
https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4
https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5
https://jira.xwiki.org/browse/XWIKI-21473

History

Fri, 06 Sep 2024 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94

Tue, 13 Aug 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xwiki xwiki
CPEs	cpe:2.3:a:xwiki:xwiki-platform::::::::	cpe:2.3:a:xwiki:xwiki::::::::
Vendors & Products	Xwiki xwiki-platform	Xwiki xwiki

Tue, 06 Aug 2024 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xwiki Xwiki xwiki-platform
CPEs		cpe:2.3:a:xwiki:xwiki-platform::::::::
Vendors & Products		Xwiki Xwiki xwiki-platform
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-31T15:19:36.588Z

Updated: 2024-08-13T13:37:05.363Z

Reserved: 2024-06-10T19:54:41.362Z

Link: CVE-2024-37901

Vulnrichment

Updated: 2024-08-06T19:02:43.296Z

NVD

Status : Analyzed

Published: 2024-07-31T16:15:03.683

Modified: 2024-09-06T20:54:20.857

Link: CVE-2024-37901

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object