XWiki Platform Vulnerability - Scheduler Code Execution
CVE-2024-55876

5.4MEDIUM

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
12 December 2024

Summary

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation (e.g., Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on Scheduler.WebPreferences to match the patch.

Affected Version(s)

xwiki-platform >= 1.2-milestone-2, < 15.10.9 < 1.2-milestone-2, 15.10.9

xwiki-platform >= 16.0.0-rc-1, < 16.3.0 < 16.0.0-rc-1, 16.3.0

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-21663
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.