Incorrect authorization in XWiki platform - CVE-2024-38369
Published: June 24, 2024 / Updated: May 5, 2026
Vulnerability identifier: #VU129980
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-38369
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to impersonate the author of content using the include macro.
The vulnerability exists due to incorrect authorization in the include macro when executing content from an included document. A remote user can modify the target document to impersonate the author of content using the include macro.
The included content is executed with the rights of the includer instead of the rights of its author.
How to mitigate CVE-2024-38369
Install security update from vendor's website.