Eval Injection in XWiki platform - CVE-2024-37901
Published: July 31, 2024 / Updated: May 5, 2026
Vulnerability identifier: #VU129873
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-37901
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in SearchSuggestConfigSheet when processing XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass objects added to a user profile or another page. A remote user can add crafted objects and properties to trigger code execution to execute arbitrary code.
The issue can be exploited by any user with edit right on any page, even without script or programming rights.
How to mitigate CVE-2024-37901
Install security update from vendor's website.