SB20240620276 - Multiple vulnerabilities in XWiki platform
Published: June 20, 2024 Updated: April 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Code injection (CVE-ID: CVE-2024-43400)
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to improper neutralization of special elements used in a script context in string properties when processing a crafted URL referencing an XClass name. A remote user can craft a malicious URL and trick a user into following it to execute arbitrary JavaScript in a victim's browser.
User interaction is required, and the issue can be exploited by a user without Script or Programming rights.
2) Missing Authorization (CVE-ID: CVE-2024-37898)
The vulnerability allows a remote user to overwrite or delete a document without delete rights.
The vulnerability exists due to improper access control in the document save operation when saving a page by replacing view with edit in the URL for a page the user can edit but not view. A remote user can save crafted page content to overwrite the existing page and move the previous version to the recycle bin to overwrite or delete a document without delete rights.
The issue occurs only when a user has edit right but not view right on the target page.
3) Code injection (CVE-ID: CVE-2024-37900)
The vulnerability allows a remote user to execute arbitrary JavaScript code in the victim's browser.
The vulnerability exists due to improper neutralization of special elements in attachment filenames in the attachment uploader when processing a malicious attachment filename during upload. A remote user can trick the victim into uploading a specially crafted file to execute arbitrary JavaScript code in the victim's browser.
User interaction is required, and the malicious code is executed only during the upload and affects only the user uploading the attachment.
4) Incorrect Privilege Assignment (CVE-ID: CVE-2024-37899)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in the user profile handling during account disabling when an administrator disables a user account containing crafted profile content. A remote user can place malicious code in the user profile to execute arbitrary code.
User interaction is required because an administrator must disable the user account.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v
- https://github.com/advisories/GHSA-wcg9-pgqv-xm5v
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-33gp-gmg3-hfpq
- https://github.com/advisories/GHSA-33gp-gmg3-hfpq
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g
- https://github.com/advisories/GHSA-wf3x-jccf-5g5g
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
- https://github.com/advisories/GHSA-j584-j2vj-3f93