CVE-2024-55662

HIGH EPSS 50.3%
Published Dec 12, 20241y ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Dec 12, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
50.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 3

CWE-863 Incorrect Authorization Authorization
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
CWE-96

Affected Products 2

VendorProductVersionRange
xwikixwiki*≥3.3  –  <15.10.9
xwikixwiki*≥16.0.0  –  <16.3.0

References 3

  • github.com https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8
    Vendor Advisory
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5
    Product
  • jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-21890
    ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.