CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.6%
When an admin disables a user account, the user’s profile is executed with the admin’s rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account.
To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add {{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}
.
As an admin, go to the user profile and click the “Disable this account” button.
Then, reload the page. If the logs show attacker - Hello from Groovy!
then the instance is vulnerable.
This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
We’re not aware of any workaround except upgrading.
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/046c36519a2df392c922c16d0d38472b98c414d0
github.com/xwiki/xwiki-platform/commit/233b08b26580df4b7a595882dac65ed4e4a2419c
github.com/xwiki/xwiki-platform/commit/2b55c29562ccd20f8f0f85075f0c95b4ee9cd9be
github.com/xwiki/xwiki-platform/commit/f8409419c5d0ddefe1bee55e73629a54275fa735
github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
jira.xwiki.org/browse/XWIKI-21611
nvd.nist.gov/vuln/detail/CVE-2024-37899
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.6%