CRITICAL🇵🇱 Wersja polska

CVE-2024-37901

CVSS 9.9v3.1pub. 2024-07-31upd. 2024-09-06

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.

🤖 AI Analysis
How it works

The vulnerability results from improper access control (CWE-862) and code injection and evaluation capabilities (CWE-95, CWE-94). A user with edit rights can define specially crafted instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` classes on any wiki page, including their own profile. The platform processes these objects without proper permission verification and isolation, leading to embedded code execution in the server context.

Impact

An attacker can take full control of the XWiki installation, gaining access to all data, modifying wiki content, and causing service unavailability — resulting in a complete breach of system confidentiality, integrity, and availability.

Mitigation & patch

XWiki Platform should be updated to version 14.10.21, 15.5.5, or 15.10.2, in which the vulnerability has been removed. Patches are available in the XWiki project GitHub repository.

Who is affected

XWiki Platform in all versions before 14.10.21, 15.5.5, and 15.10.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Xwiki

    APP
    Xwiki
    9.2 – 14.10.21 (bez)15.0 – 15.5.5 (bez)15.6 – 15.10.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam produkt

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-55748CRITICAL9.3PL ✓ten sam produkt

XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych

CVE-2025-55747CRITICAL9.3PL ✓ten sam produkt

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)

CVE-2025-32429CRITICAL9.3PL ✓ten sam produkt

SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm

CVE-2025-53836CRITICAL9.9PL ✓ten sam produkt

XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra