Critical severityNVD Advisory· Published Aug 19, 2024· Updated Aug 21, 2024
In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them
CVE-2024-43401
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-web-templatesMaven | < 15.10-rc-1 | 15.10-rc-1 |
Affected products
1- Range: < 15.10-rc-1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- github.com/advisories/GHSA-f963-4cq8-2gw7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-43401ghsaADVISORY
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20331ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21311ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21481ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21482ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21483ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21484ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21485ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21486ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21487ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21488ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21489ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-21490ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.