XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.
References
| Link | Resource |
|---|---|
| https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d | Patch |
| https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr | Vendor Advisory |
| https://jira.xwiki.org/browse/XWIKI-21207 | Exploit Vendor Advisory |
| https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398 | Not Applicable |
Configurations
Configuration 1 (hide)
|
History
30 Apr 2025, 16:01
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:xwiki:xwiki:*:-:*:*:*:*:*:* cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* |
|
| First Time |
Xwiki xwiki
Xwiki |
|
| References | () https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d - Patch | |
| References | () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr - Vendor Advisory | |
| References | () https://jira.xwiki.org/browse/XWIKI-21207 - Exploit, Vendor Advisory | |
| References | () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398 - Not Applicable |
13 Dec 2024, 15:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-12-12 20:15
Updated : 2025-04-30 16:01
NVD link : CVE-2024-55879
Mitre link : CVE-2024-55879
CVE.ORG link : CVE-2024-55879
JSON object : View
Products Affected
xwiki
- xwiki
CWE
CWE-862
Missing Authorization