SB20240731225 - Eval Injection in XWiki platform

Description

This security bulletin contains information about 1 vulnerability.

1) Eval Injection (CVE-ID: CVE-2024-37901)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in SearchSuggestConfigSheet when processing XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass objects added to a user profile or another page. A remote user can add crafted objects and properties to trigger code execution to execute arbitrary code.

The issue can be exploited by any user with edit right on any page, even without script or programming rights.

Remediation

Install update from vendor's website.

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5
• https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e