Vulnerability Details CVE-2024-37899
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`.
As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
### Workarounds
We're not aware of any workaround except upgrading.
### References
* https://jira.xwiki.org/browse/XWIKI-21611
* https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
Exploit prediction scoring system (EPSS) score
EPSS Score 0.486
EPSS Ranking 97.6%
CVSS Severity
CVSS v3 Score 9.0
References
- https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
- https://jira.xwiki.org/browse/XWIKI-21611
- https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
- https://jira.xwiki.org/browse/XWIKI-21611
Products affected by CVE-2024-37899
-
cpe:2.3:a:xwiki:xwiki:13.10.10
-
cpe:2.3:a:xwiki:xwiki:13.10.11
-
cpe:2.3:a:xwiki:xwiki:13.10.3
-
cpe:2.3:a:xwiki:xwiki:13.10.4
-
cpe:2.3:a:xwiki:xwiki:13.10.5
-
cpe:2.3:a:xwiki:xwiki:13.10.6
-
cpe:2.3:a:xwiki:xwiki:13.10.8
-
cpe:2.3:a:xwiki:xwiki:13.4.7
-
cpe:2.3:a:xwiki:xwiki:13.5
-
cpe:2.3:a:xwiki:xwiki:14.0
-
cpe:2.3:a:xwiki:xwiki:14.1
-
cpe:2.3:a:xwiki:xwiki:14.10
-
cpe:2.3:a:xwiki:xwiki:14.10.1
-
cpe:2.3:a:xwiki:xwiki:14.10.10
-
cpe:2.3:a:xwiki:xwiki:14.10.11
-
cpe:2.3:a:xwiki:xwiki:14.10.12
-
cpe:2.3:a:xwiki:xwiki:14.10.13
-
cpe:2.3:a:xwiki:xwiki:14.10.14
-
cpe:2.3:a:xwiki:xwiki:14.10.15
-
cpe:2.3:a:xwiki:xwiki:14.10.16
-
cpe:2.3:a:xwiki:xwiki:14.10.17
-
cpe:2.3:a:xwiki:xwiki:14.10.18
-
cpe:2.3:a:xwiki:xwiki:14.10.19
-
cpe:2.3:a:xwiki:xwiki:14.10.2
-
cpe:2.3:a:xwiki:xwiki:14.10.20
-
cpe:2.3:a:xwiki:xwiki:14.10.3
-
cpe:2.3:a:xwiki:xwiki:14.10.4
-
cpe:2.3:a:xwiki:xwiki:14.10.5
-
cpe:2.3:a:xwiki:xwiki:14.10.6
-
cpe:2.3:a:xwiki:xwiki:14.10.7
-
cpe:2.3:a:xwiki:xwiki:14.10.8
-
cpe:2.3:a:xwiki:xwiki:14.10.9
-
cpe:2.3:a:xwiki:xwiki:14.2
-
cpe:2.3:a:xwiki:xwiki:14.2.1
-
cpe:2.3:a:xwiki:xwiki:14.3
-
cpe:2.3:a:xwiki:xwiki:14.3.1
-
cpe:2.3:a:xwiki:xwiki:14.4
-
cpe:2.3:a:xwiki:xwiki:14.4.3
-
cpe:2.3:a:xwiki:xwiki:14.4.4
-
cpe:2.3:a:xwiki:xwiki:14.4.5
-
cpe:2.3:a:xwiki:xwiki:14.4.6
-
cpe:2.3:a:xwiki:xwiki:14.4.7
-
cpe:2.3:a:xwiki:xwiki:14.4.8
-
cpe:2.3:a:xwiki:xwiki:14.5
-
cpe:2.3:a:xwiki:xwiki:14.5.0
-
cpe:2.3:a:xwiki:xwiki:14.6
-
cpe:2.3:a:xwiki:xwiki:14.7
-
cpe:2.3:a:xwiki:xwiki:14.9
-
cpe:2.3:a:xwiki:xwiki:15.0
-
cpe:2.3:a:xwiki:xwiki:15.1
-
cpe:2.3:a:xwiki:xwiki:15.10
-
cpe:2.3:a:xwiki:xwiki:15.10.1
-
cpe:2.3:a:xwiki:xwiki:15.10.2
-
cpe:2.3:a:xwiki:xwiki:15.10.3
-
cpe:2.3:a:xwiki:xwiki:15.10.4
-
cpe:2.3:a:xwiki:xwiki:15.10.5
-
cpe:2.3:a:xwiki:xwiki:15.2
-
cpe:2.3:a:xwiki:xwiki:15.3
-
cpe:2.3:a:xwiki:xwiki:15.4
-
cpe:2.3:a:xwiki:xwiki:15.5
-
cpe:2.3:a:xwiki:xwiki:15.5.1
-
cpe:2.3:a:xwiki:xwiki:15.5.2
-
cpe:2.3:a:xwiki:xwiki:15.5.3
-
cpe:2.3:a:xwiki:xwiki:15.5.4
-
cpe:2.3:a:xwiki:xwiki:15.6
-
cpe:2.3:a:xwiki:xwiki:15.7
-
cpe:2.3:a:xwiki:xwiki:15.8
-
cpe:2.3:a:xwiki:xwiki:15.9
-
cpe:2.3:a:xwiki:xwiki:16.0.0