XWiki Platform vulnerable to Remote Code Execution (RCE) attack
CVE-2024-21650

10CRITICAL

Key Information:

Vendor
xwiki
Status
xwiki-platform
Vendor
CVE Published:
8 January 2024

Summary

The XWiki Platform is susceptible to a remote code execution vulnerability due to improper handling of user input in the user registration feature. This vulnerability allows attackers to inject malicious payloads via the 'first name' or 'last name' fields during the registration process. The risk is significant for installations that permit guest user registrations, as an attacker could potentially execute arbitrary code on the server. This vulnerability has been addressed in the subsequent releases: XWiki 14.10.17, 15.5.3, and 15.8 RC1, urging users to update their installations to mitigate security risks.

Affected Version(s)

xwiki-platform >= 2.2, < 14.10.17 < 2.2, 14.10.17

xwiki-platform >= 15.0-rc-1, < 15.5.3 < 15.0-rc-1, 15.5.3

xwiki-platform >= 15.6-rc-1, < 15.8-rc-1 < 15.6-rc-1, 15.8-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/b290bfd573...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-21173
x_refsource_MISC

EPSS Score

85% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.