CVE-2024-55876

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:-:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:-:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:milestone2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:rc1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:rc2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:rc3:*:*:*:*:*:*

History

30 Apr 2025, 16:02

Type Values Removed Values Added
CPE cpe:2.3:a:xwiki:xwiki:1.2:rc1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:rc3:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:-:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:-:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:rc2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.2:milestone2:*:*:*:*:*:*
First Time Xwiki xwiki
Xwiki
References () https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331 - () https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331 - Patch
References () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6 - () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6 - Vendor Advisory
References () https://jira.xwiki.org/browse/XWIKI-21663 - () https://jira.xwiki.org/browse/XWIKI-21663 - Exploit, Vendor Advisory

13 Dec 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-12-12 19:15

Updated : 2025-04-30 16:02


NVD link : CVE-2024-55876

Mitre link : CVE-2024-55876

CVE.ORG link : CVE-2024-55876


JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-862

Missing Authorization