Arbitrary Remote Code Execution Vulnerability in XWiki Platform
CVE-2024-55877
Summary
The XWiki Platform, a widely used wiki software, is affected by a security vulnerability that allows any authenticated user to execute arbitrary remote code. This flaw arises when users incorporate instances of 'XWiki.WikiMacroClass' onto any page, which severely compromises the confidentiality, integrity, and availability of the XWiki environment. The vulnerability spans versions from 9.7-rc-1 up to but not including 15.10.11, 16.4.1, and 16.5.0. Mitigation is available through updates to the aforementioned versions or via manual patching of the page 'XWiki.XWikiSyntaxMacrosList'.
Affected Version(s)
xwiki-platform >= 9.7-rc-1, < 15.10.11 < 9.7-rc-1, 15.10.11
xwiki-platform >= 16.0.0-rc-1, < 16.4.1 < 16.0.0-rc-1, 16.4.1
xwiki-platform >= 16.5.0-rc-1, < 16.5.0 < 16.5.0-rc-1, 16.5.0
References
EPSS Score
42% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved