XWiki Platform Run-time Code Execution Vulnerability
CVE-2024-37901
Summary
The XWiki Platform, a widely-used generic wiki platform, is susceptible to a significant security flaw that enables remote code execution. This vulnerability arises when a user with edit permissions on any page incorporates specific instances of XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass into their profile or any page. Such actions can lead to the unauthorized execution of arbitrary code, thereby jeopardizing the confidentiality, integrity, and availability of the entire XWiki installation. Affected users must upgrade to patched versions: XWiki 14.10.21, 15.5.5, or 15.10.2 to mitigate this risk.
Affected Version(s)
xwiki-platform >= 15.6-rc-1, < 15.10.2 < 15.6-rc-1, 15.10.2
xwiki-platform >= 15.0-rc-1, < 15.5.5 < 15.0-rc-1, 15.5.5
xwiki-platform >= 9.2-rc-1, < 14.10.21 < 9.2-rc-1, 14.10.21
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved