Skip to content

In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them

Critical severity GitHub Reviewed Published Aug 19, 2024 in xwiki/xwiki-platform • Updated Aug 20, 2024

Package

maven org.xwiki.platform:xwiki-platform-web-templates (Maven)

Affected versions

< 15.10-rc-1

Patched versions

15.10-rc-1

Description

Impact

A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor.
The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content.
The payload is executed at edit time.

Patches

This vulnerability has been patched in XWiki 15.10RC1.

Workarounds

No workaround. It is advised to upgrade to XWiki 15.10+.

References

For more information

If you have any questions or comments about this advisory:

Attribution

This vulnerability has been reported on Intigriti by @floerer

References

@surli surli published to xwiki/xwiki-platform Aug 19, 2024
Published by the National Vulnerability Database Aug 19, 2024
Published to the GitHub Advisory Database Aug 19, 2024
Reviewed Aug 19, 2024
Last updated Aug 20, 2024

Severity

Critical
9.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS score

0.101%
(42nd percentile)

Weaknesses

CVE ID

CVE-2024-43401

GHSA ID

GHSA-f963-4cq8-2gw7

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.