Code injection in XWiki platform - CVE-2024-37900

 

Code injection in XWiki platform - CVE-2024-37900

Published: July 31, 2024 / Updated: April 9, 2026


Vulnerability identifier: #VU125598
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-37900
CWE-ID: CWE-96
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript code in the victim's browser.

The vulnerability exists due to improper neutralization of special elements in attachment filenames in the attachment uploader when processing a malicious attachment filename during upload. A remote user can trick the victim into uploading a specially crafted file to execute arbitrary JavaScript code in the victim's browser.

User interaction is required, and the malicious code is executed only during the upload and affects only the user uploading the attachment.


How to mitigate CVE-2024-37900

Install security update from vendor's website.

Sources