Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mOTYzLTRjcTgtMmd3N84AA-yB
In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them
Impact
A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor.
The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content.
The payload is executed at edit time.
Patches
This vulnerability has been patched in XWiki 15.10RC1.
Workarounds
No workaround. It is advised to upgrade to XWiki 15.10+.
References
- https://jira.xwiki.org/browse/XWIKI-20331
- https://jira.xwiki.org/browse/XWIKI-21311
- https://jira.xwiki.org/browse/XWIKI-21481
- https://jira.xwiki.org/browse/XWIKI-21482
- https://jira.xwiki.org/browse/XWIKI-21483
- https://jira.xwiki.org/browse/XWIKI-21484
- https://jira.xwiki.org/browse/XWIKI-21485
- https://jira.xwiki.org/browse/XWIKI-21486
- https://jira.xwiki.org/browse/XWIKI-21487
- https://jira.xwiki.org/browse/XWIKI-21488
- https://jira.xwiki.org/browse/XWIKI-21489
- https://jira.xwiki.org/browse/XWIKI-21490
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Attribution
This vulnerability has been reported on Intigriti by @floerer
Permalink: https://github.com/advisories/GHSA-f963-4cq8-2gw7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mOTYzLTRjcTgtMmd3N84AA-yB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-f963-4cq8-2gw7, CVE-2024-43401
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7
- https://nvd.nist.gov/vuln/detail/CVE-2024-43401
- https://jira.xwiki.org/browse/XWIKI-20331
- https://jira.xwiki.org/browse/XWIKI-21311
- https://jira.xwiki.org/browse/XWIKI-21481
- https://jira.xwiki.org/browse/XWIKI-21482
- https://jira.xwiki.org/browse/XWIKI-21483
- https://jira.xwiki.org/browse/XWIKI-21484
- https://jira.xwiki.org/browse/XWIKI-21485
- https://jira.xwiki.org/browse/XWIKI-21486
- https://jira.xwiki.org/browse/XWIKI-21487
- https://jira.xwiki.org/browse/XWIKI-21488
- https://jira.xwiki.org/browse/XWIKI-21489
- https://jira.xwiki.org/browse/XWIKI-21490
- https://github.com/advisories/GHSA-f963-4cq8-2gw7
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-web-templates
Affected Version Ranges: < 15.10-rc-1Fixed in: 15.10-rc-1