GoogleOSV:GHSA-J584-J2VJ-3F93XWiki Platform allows remote code execution from user account
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.6%
Impact
When an admin disables a user account, the user’s profile is executed with the admin’s rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account.
To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add {{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}.
As an admin, go to the user profile and click the “Disable this account” button.
Then, reload the page. If the logs show attacker - Hello from Groovy! then the instance is vulnerable.
Patches
This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
Workarounds
We’re not aware of any workaround except upgrading.
References
References
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/046c36519a2df392c922c16d0d38472b98c414d0
github.com/xwiki/xwiki-platform/commit/233b08b26580df4b7a595882dac65ed4e4a2419c
github.com/xwiki/xwiki-platform/commit/2b55c29562ccd20f8f0f85075f0c95b4ee9cd9be
github.com/xwiki/xwiki-platform/commit/f8409419c5d0ddefe1bee55e73629a54275fa735
github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
jira.xwiki.org/browse/XWIKI-21611
nvd.nist.gov/vuln/detail/CVE-2024-37899
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.6%