CVE-2024-55877

high-risk
Published 2024-12-12

XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.

Do I need to act?

!
27.5% chance of exploitation in next 30 days
EPSS score — higher than 73% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 197973569f711b6ee116096b4887d30410493f06, c5e378200ac0047419ddd8c5071396ac35df9025, 177e524c2e218fe5de776619271b7cd12c929488
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Xwiki

References (4)

Patch https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0...
Vendor Advisory https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c
Exploit https://jira.xwiki.org/browse/XWIKI-22030
Exploit https://jira.xwiki.org/browse/XWIKI-22030
55
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 15/34 · Moderate
Exposure 7/34 · Low