VYPR
Moderate severityNVD Advisory· Published Dec 12, 2024· Updated Dec 13, 2024

XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

CVE-2024-55876

Description

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on Scheduler.WebPreferences to match the patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-scheduler-uiMaven
>= 1.2-milestone-2, < 15.10.915.10.9
org.xwiki.platform:xwiki-platform-scheduler-uiMaven
>= 16.0.0-rc-1, < 16.3.016.3.0

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.