CVE-2024-41947

CRITICAL

Xwiki < 15.10.8 - Basic XSS

Title source: rule

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.

Exploits (1)

exploitdb WRITEUP

by Siddhartha Naik · textwebappsphp

https://www.exploit-db.com/exploits/52209

View Code ZIP pw:eip

References (4)

[Patch] https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f

[Patch] https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34

[Vendor Advisory] https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x

[Issue Tracking, Vendor Advisory] https://jira.xwiki.org/browse/XWIKI-21626

Scores

CVSS v3 9.0

EPSS 0.1301

EPSS Percentile 94.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-80 CWE-79

Status published

Products (2)

org.xwiki.platform/xwiki-platform-web-templates 11.8-rc-1 - 15.10.8Maven

xwiki/xwiki 11.8 - 15.10.8

Published Jul 31, 2024

Tracked Since Feb 18, 2026