XWiki Platform Vulnerability: Disable User Account to Execute Malicious Code
CVE-2024-37899
Summary
The XWiki Platform vulnerability allows a malicious user to escalate privileges by inserting harmful code into their user profile. When an administrator disables the account, the malicious code executes with the administrator's privileges, potentially compromising sensitive data. The flaw occurs when an admin interacts with a modified user profile without proper safeguards in place. Affected users and organizations must upgrade to XWiki versions 14.10.21, 15.5.5, 15.10.6, or 16.0.0, as there are currently no workarounds available.
Affected Version(s)
xwiki-platform >= 13.4.7, <= 13.5 <= 13.4.7, 13.5
xwiki-platform >= 13.10.3, < 14.10.21 < 13.10.3, 14.10.21
xwiki-platform >= 15.0-rc-1, < 15.5.5 < 15.0-rc-1, 15.5.5
References
EPSS Score
46% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published