CVE-2024-41947

moderate-risk

Published 2024-07-31

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.

Do I need to act?

13.0% chance of exploitation in next 30 days

EPSS score — higher than 87% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

52209

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.0/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Xwiki

Affected Vendors

Xwiki

References (4)

Patch https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77ff...

Patch https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb...

Vendor Advisory https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x

Issue Tracking https://jira.xwiki.org/browse/XWIKI-21626

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 12/34 · Low

Exposure 5/34 · Minimal