In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them
CVE-2024-43401

8HIGH

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
19 August 2024

Summary

The XWiki Platform vulnerability allows a non-privileged user to exploit a flaw in the WYSIWYG editor. By tricking a user with elevated rights into editing content with a malicious payload, the elevated user inadvertently executes potentially dangerous code without prior warning. This flaw can lead to significant security issues, as it compromises the integrity of the content and the trust users place in the platform. The vulnerability has been addressed and patched in version 15.10RC1.

Affected Version(s)

xwiki-platform < 15.10-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://jira.xwiki.org/browse/XWIKI-20331
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-21311
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.