SB20240620276 - Multiple vulnerabilities in XWiki platform
Published: June 20, 2024 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Code injection (CVE-ID: CVE-2024-43400)
CWE-ID: CWE-96 - Improper Neutralization of Directives in Statically Saved Code (\'Static Code Injection\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to improper neutralization of special elements used in a script context in string properties when processing a crafted URL referencing an XClass name. A remote user can craft a malicious URL and trick a user into following it to execute arbitrary JavaScript in a victim's browser.
User interaction is required, and the issue can be exploited by a user without Script or Programming rights.
2) Missing Authorization (CVE-ID: CVE-2024-37898)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to overwrite or delete a document without delete rights.
The vulnerability exists due to improper access control in the document save operation when saving a page by replacing view with edit in the URL for a page the user can edit but not view. A remote user can save crafted page content to overwrite the existing page and move the previous version to the recycle bin to overwrite or delete a document without delete rights.
The issue occurs only when a user has edit right but not view right on the target page.
3) Code injection (CVE-ID: CVE-2024-37900)
CWE-ID: CWE-96 - Improper Neutralization of Directives in Statically Saved Code (\'Static Code Injection\')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript code in the victim's browser.
The vulnerability exists due to improper neutralization of special elements in attachment filenames in the attachment uploader when processing a malicious attachment filename during upload. A remote user can trick the victim into uploading a specially crafted file to execute arbitrary JavaScript code in the victim's browser.
User interaction is required, and the malicious code is executed only during the upload and affects only the user uploading the attachment.
4) Incorrect Privilege Assignment (CVE-ID: CVE-2024-37899)
CWE-ID: CWE-266 - Incorrect Privilege Assignment
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in the user profile handling during account disabling when an administrator disables a user account containing crafted profile content. A remote user can place malicious code in the user profile to execute arbitrary code.
User interaction is required because an administrator must disable the user account.
5) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2024-46979)
CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose notification filters of arbitrary users.
The vulnerability exists due to improper access control in the NotificationFilterPreferenceLivetableResults endpoint when handling crafted requests that specify a target user. A remote attacker can send a specially crafted request with the user parameter to disclose notification filters of arbitrary users.
The exposed filters mainly contain references that are public data in XWiki, but the disclosed information could be useful when combined with other vulnerabilities.
6) Incorrect Use of Privileged APIs (CVE-ID: CVE-2024-46978)
CWE-ID: CWE-648 - Incorrect Use of Privileged APIs
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify or delete another user's notification filter preferences.
The vulnerability exists due to improper access control in the notification preference service when handling requests to edit notification filter preferences. A remote user can send a request referencing the ID of another user's notification filter preference to modify or delete another user's notification filter preferences.
Exploitation requires knowledge of the ID of another user's notification filter preference.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v
- https://github.com/advisories/GHSA-wcg9-pgqv-xm5v
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-33gp-gmg3-hfpq
- https://github.com/advisories/GHSA-33gp-gmg3-hfpq
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g
- https://github.com/advisories/GHSA-wf3x-jccf-5g5g
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
- https://github.com/advisories/GHSA-j584-j2vj-3f93
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pg4m-3gp6-hw4w
- https://github.com/advisories/GHSA-pg4m-3gp6-hw4w
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r95w-889q-x2gx