CVE-2024-43400

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v	Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-21810	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

History

20 Aug 2024, 16:10

Type	Values Removed	Values Added
Summary		(es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Es posible que un usuario sin derechos de script o programación cree una URL que apunte a una página con JavaScript arbitrario. Esto requiere que un ingeniero social engañe al usuario para que siga la URL. Esto ha sido parcheado en XWiki 14.10.21, 15.5.5, 15.10.6 y 16.0.0.
CVSS	v2 : ~~unknown~~ v3 : ~~9.0~~	v2 : unknown v3 : 5.4
First Time		Xwiki Xwiki xwiki
CWE		CWE-79
CPE		cpe:2.3:a:xwiki:xwiki::::::::
References	~~() https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c -~~	() https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c - Patch
References	~~() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v -~~	() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v - Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XWIKI-21810 -~~	() https://jira.xwiki.org/browse/XWIKI-21810 - Issue Tracking, Vendor Advisory

19 Aug 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-19 17:15

Updated : 2024-08-20 16:10

NVD link : CVE-2024-43400

Mitre link : CVE-2024-43400

CVE.ORG link : CVE-2024-43400

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-96

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

5.4 /10