CVE-2024-43400

CRITICAL

XWiki < 14.10.21 - Stored Cross-Site Scripting via Crafted URL

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-43400. PoCs published by rain321654.

AI-analyzed exploit summary The repository contains only a README.md with the CVE identifier and no additional technical details or exploit code. It appears to be a placeholder with minimal content.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

Exploits (2)

nomisec STUB

by rain321654 · poc

https://github.com/rain321654/CVE-2024-43400

View Code ZIP pw:eip

The repository contains only a README.md with the CVE identifier and no additional technical details or exploit code. It appears to be a placeholder with minimal content.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SCANNER

by rain321654 · poc

https://github.com/rain321654/yasa-cve-2024-43400-main1

View Code ZIP pw:eip

The repository contains a Dockerized scanner for CVE-2024-43400, which uses the YASA engine to detect taint flow vulnerabilities in Java code. It does not include exploit code but provides a tool to identify the vulnerability in the target software.

Classification

Scanner 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: XWiki Platform (specific version not specified)

No auth needed

Prerequisites: Access to the target source code · Docker environment to run the scanner

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v

Patch x_refsource_misc

https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c

View Patch ZIP pw:eip

Issue Tracking, Vendor Advisory x_refsource_misc

https://jira.xwiki.org/browse/XWIKI-21810

Scores

CVSS v3 9.0

EPSS 0.0727

EPSS Percentile 91.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-79 CWE-96

Status published

Products (2)

org.xwiki.platform/xwiki-platform-oldcore 1.1.2 - 14.10.21Maven

xwiki/xwiki < 14.10.21

Published Aug 19, 2024

Tracked Since Feb 18, 2026