CVE-2024-55879

CRITICAL LAB

Xwiki < 15.10.9 - Missing Authorization

Title source: rule

Description

XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.

Exploits (1)

nomisec WORKING POC
by dbwlsdnr95 · poc
https://github.com/dbwlsdnr95/CVE-2024-55879

References (4)

Scores

CVSS v3 9.1
EPSS 0.1577
EPSS Percentile 94.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull eclipse-temurin:11-jre
docker pull xwiki:15.10.5-postgres-tomcat

Details

CWE
CWE-862
Status published
Products (3)
org.xwiki.platform/xwiki-platform-administration-ui 2.3 - 15.10.9Maven
xwiki/xwiki 16.0.0 - 16.3.0
xwiki/xwiki 2.3 - 15.10.9
Published Dec 12, 2024
Tracked Since Feb 18, 2026