CVE-2024-43400

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v	Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-21810	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

History

20 Aug 2024, 16:10

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.0~~	v2 : unknown v3 : 5.4
First Time		Xwiki Xwiki xwiki
CWE		CWE-79
CPE		cpe:2.3:a:xwiki:xwiki::::::::
Summary		(es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Es posible que un usuario sin derechos de script o programación cree una URL que apunte a una página con JavaScript arbitrario. Esto requiere que un ingeniero social engañe al usuario para que siga la URL. Esto ha sido parcheado en XWiki 14.10.21, 15.5.5, 15.10.6 y 16.0.0.
References	~~() https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c -~~	() https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c - Patch
References	~~() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v -~~	() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v - Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XWIKI-21810 -~~	() https://jira.xwiki.org/browse/XWIKI-21810 - Issue Tracking, Vendor Advisory

19 Aug 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-19 17:15

Updated : 2024-08-20 16:10

NVD link : CVE-2024-43400

Mitre link : CVE-2024-43400

CVE.ORG link : CVE-2024-43400

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-96

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

5.4 /10