SB2024121266 - Multiple vulnerabilities in XWiki platform
Published: December 12, 2024 Updated: April 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Code injection (CVE-ID: CVE-2024-55662)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in a command in the Extension Repository Application extension sheet when rendering the description of an ExtensionCode.ExtensionClass object. A remote user can add a crafted ExtensionCode.ExtensionClass object with malicious script content to execute arbitrary code.
Only instances where the Extension Repository Application is installed are vulnerable.
2) Missing Authorization (CVE-ID: CVE-2024-45591)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper authorization in the REST API history endpoint when handling requests for page history. A remote attacker can request the history of any page whose name is known to disclose sensitive information.
The exposed history can include modification times, version numbers, author usernames and displayed names, and version comments, including on fully private wiki instances.
3) Missing Authorization (CVE-ID: CVE-2024-55879)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in configurable sections based on XWiki.ConfigurableClass when rendering custom configurable section headings. A remote privileged user can add an XWiki.ConfigurableClass object to a page and inject script content in the Heading field to execute arbitrary code.
The issue can be triggered by viewing the crafted page through the administration sheet with a section parameter referencing the custom section.
4) Missing Authorization (CVE-ID: CVE-2024-55876)
The vulnerability allows a remote user to perform scheduling operations on subwikis for any main wiki user.
The vulnerability exists due to improper access control in Scheduler.WebHome when handling scheduling operation requests in a subwiki. A remote user can trigger job operations to perform scheduling operations on subwikis for any main wiki user.
Only subwikis with the job scheduler enabled are vulnerable.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm
- https://github.com/advisories/GHSA-pvmm-55r5-g3mm
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6