#VU126944 Improper privilege management in XWiki platform - CVE-2024-43401
Published: August 19, 2024 / Updated: April 24, 2026
Vulnerability identifier: #VU126944
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-43401
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper privilege management in WYSIWYG editors when editing content containing a malicious payload. A remote user can trick a user with script or programming rights into editing crafted content to execute arbitrary code.
User interaction is required, and the payload is executed at edit time.
Remediation
Install security update from vendor's website.