CRITICAL🇵🇱 Wersja polska

CVE-2024-21650

CVSS 10.0v3.1pub. 2024-01-08upd. 2024-11-21

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests. This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1.

🤖 AI Analysis
How it works

The vulnerability results from improper input handling (CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code, CWE-94: Improper Control of Code Generation). An attacker places a malicious payload in the 'first name' or 'last name' fields during new user account registration. The platform processes this data in a way that allows embedded code interpretation, leading to its execution in the server context. No privileges or user interaction are required to carry out the attack.

Impact

An attacker can execute arbitrary code on the server hosting XWiki, potentially leading to complete system compromise, data theft, wiki content modification, and lateral movement within the internal network.

Mitigation & patch

XWiki Platform should be updated to version 14.10.17, 15.5.3, or 15.8 RC1 (or newer). If immediate updating is not possible, the user registration feature for guests should be temporarily disabled until the patch is applied.

Who is affected

All XWiki Platform installations with user registration enabled for guests, running versions prior to 14.10.17, 15.5.3, and 15.8 RC1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Xwiki

    APP
    Xwiki
    < 14.10.1715.0 – 15.5.3 (bez)15.6 – 15.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam produkt

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-55748CRITICAL9.3PL ✓ten sam produkt

XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych

CVE-2025-55747CRITICAL9.3PL ✓ten sam produkt

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)

CVE-2025-32429CRITICAL9.3PL ✓ten sam produkt

SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm

CVE-2025-53836CRITICAL9.9PL ✓ten sam produkt

XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra