CVE-2024-55877

12 Dic 2024

Título es

CVE-2024-55877

Jue, 12/12/2024 – 20:15

Tipo

CWE-96

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-55877

Descripción en

XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.

12/12/2024

Vector CVSS:3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

9.90

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

CRITICAL

Referencias

https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c

https://jira.xwiki.org/browse/XWIKI-22030

Enviar en el boletín