Main Vulnerability Database Vulnerabilities #VU125589

SQL injection in XWiki platform - CVE-2024-55663

Published: December 12, 2024 / Updated: April 9, 2026

Vulnerability identifier: #VU125589

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2024-55663

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: XWiki

Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and modify database contents.

The vulnerability exists due to SQL injection in getdocument.vm when processing the request.sort parameter. A remote attacker can send a specially crafted request to disclose sensitive information and modify database contents.

Depending on the database backend, exploitation may allow access to confidential data such as password hashes and execution of UPDATE, INSERT, or DELETE queries.

How to mitigate CVE-2024-55663

Install security update from vendor's website.

SQL injection in XWiki platform - CVE-2024-55663

Detailed vulnerability description

How to mitigate CVE-2024-55663

Sources

Please verify you're human