XWiki XSS via crafted URL on pages, fixed 14.10.21/15.x
CVE-2024-43400 Published on August 19, 2024
XWiki Platform allows XSS through XClass name in string properties
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
Vulnerability Analysis
CVE-2024-43400 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2024-43400. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Static Code Injection Vulnerability?
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
CVE-2024-43400 has been classified to as a Static Code Injection vulnerability or weakness.
Products Associated with CVE-2024-43400
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 15.6-rc-1, < 15.10.2 is affected.
- Version >= 15.0-rc-1, < 15.5.5 is affected.
- Version < 14.10.21 is affected.
- Version = 16.0.0-rc-1 is affected.
- Version 15.6-rc-1 and below 15.10.2 is affected.
- Version 15.0-rc-1 and below 15.5.5 is affected.
- Before 14.10.21 is affected.
- Version 16.0.0-rc-1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-43400
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.platform:xwiki-platform-oldcore | >= 1.1.2, < 14.10.21 | 14.10.21 |
| maven | org.xwiki.platform:xwiki-platform-oldcore | >= 15.0-rc-1, < 15.5.5 | 15.5.5 |
| maven | org.xwiki.platform:xwiki-platform-oldcore | >= 15.6-rc-1, < 15.10.6 | 15.10.6 |
| maven | org.xwiki.platform:xwiki-platform-oldcore | = 16.0.0-rc-1 | 16.0.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.