CVE-2024-55879

Опубликовано: 12 дек. 2024

Источник: nvd

CVSS3: 9.1

CVSS3: 8.8

EPSS Средний

Описание

XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of XWiki.ConfigurableClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.

Ссылки

https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-21207
Exploit
Vendor Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398
Not Applicable

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 2.3 (включая) до 15.10.9 (исключая)

cpe:2.3:a:xwiki:xwiki:*:-:*:*:*:*:*:*

Версия от 16.0.0 (включая) до 16.3.0 (исключая)

EPSS

Процентиль: 95%

0.19786

Средний

9.1 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-862

Связанные уязвимости

GHSA-r279-47wg-chpr

CVSS3: 9.1

github

около 1 года назад

XWiki allows RCE from script right in configurable sections

EPSS

Процентиль: 95%

0.19786

Средний

9.1 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-862