XWiki Platform Remote Code Execution Vulnerability in Extension Repository Application
CVE-2024-55662 Published on December 12, 2024
XWiki allows remote code execution through the extension sheet
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.
Vulnerability Analysis
CVE-2024-55662 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2024-55662. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Types
What is a Static Code Injection Vulnerability?
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
CVE-2024-55662 has been classified to as a Static Code Injection vulnerability or weakness.
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2024-55662 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2024-55662
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 3.3-milestone-1, < 15.10.9 is affected.
- Version >= 16.0.0-rc-1, < 16.3.0 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-55662
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.platform:xwiki-platform-repository-server-ui | >= 3.3-milestone-1, < 15.10.9 | 15.10.9 |
| maven | org.xwiki.platform:xwiki-platform-repository-server-ui | >= 16.0.0-rc-1, < 16.3.0 | 16.3.0 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.