CVE-2024-41947

CRITICAL

XWiki 11.8-15.10.7 - Stored Cross-Site Scripting via Edit Conflict

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-41947. PoCs published by Siddhartha Naik.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in OpenCMS 17.0, where malicious JavaScript can be injected into the author field of an article. The exploit triggers when a user clicks the 'Read More' button, executing the script in their browser.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.

Exploits (1)

exploitdb WRITEUP
by Siddhartha Naik · textwebappsphp
https://www.exploit-db.com/exploits/52209

This is a writeup describing a stored XSS vulnerability in OpenCMS 17.0, where malicious JavaScript can be injected into the author field of an article. The exploit triggers when a user clicks the 'Read More' button, executing the script in their browser.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: OpenCMS 17.0
Auth required
Prerequisites: Ability to create/modify articles in OpenCMS
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.0
EPSS 0.1301
EPSS Percentile 94.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-80 CWE-79
Status published
Products (2)
org.xwiki.platform/xwiki-platform-web-templates 11.8-rc-1 - 15.10.8Maven
xwiki/xwiki 11.8 - 15.10.8
Published Jul 31, 2024
Tracked Since Feb 18, 2026