CVE-2024-55877
CRITICALXWiki 9.7-15.10.10 - Authenticated Remote Code Execution via WikiMacroClass Instance Injection
Title source: llmDescription
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3
Exploit, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-22030
Scores
CVSS v3
9.9
EPSS
0.0156
EPSS Percentile
72.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
CWE-96
Status
published
Products (3)
org.xwiki.platform/xwiki-platform-help-ui
9.7-rc-1 - 15.10.11Maven
xwiki/xwiki
16.5.0 rc1
xwiki/xwiki
9.7 - 15.10.11
Published
Dec 12, 2024
Tracked Since
Feb 18, 2026