XWiki Platform Subwiki Scheduler Privilege Escalation Vulnerability
CVE-2024-55876 Published on December 12, 2024
XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-55876 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2024-55876
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 1.2-milestone-2, < 15.10.9 is affected.
- Version >= 16.0.0-rc-1, < 16.3.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.