#VU125598 Code injection in XWiki platform - CVE-2024-37900
Published: July 31, 2024 / Updated: April 9, 2026
Vulnerability identifier: #VU125598
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-37900
CWE-ID: CWE-96
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary JavaScript code in the victim's browser.
The vulnerability exists due to improper neutralization of special elements in attachment filenames in the attachment uploader when processing a malicious attachment filename during upload. A remote user can trick the victim into uploading a specially crafted file to execute arbitrary JavaScript code in the victim's browser.
User interaction is required, and the malicious code is executed only during the upload and affects only the user uploading the attachment.
Remediation
Install security update from vendor's website.