← volver
CVE-2024-43401

In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them

CVSS 9.1 CRITICALEPSS 0.6%CWE-269
Vexday Risk Score
28Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.1EPSS 0.6%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
19 ago 2024Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Productos afectados
xwiki · xwiki-platform

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7https://jira.xwiki.org/browse/XWIKI-20331https://jira.xwiki.org/browse/XWIKI-21311https://jira.xwiki.org/browse/XWIKI-21481https://jira.xwiki.org/browse/XWIKI-21482https://jira.xwiki.org/browse/XWIKI-21483https://jira.xwiki.org/browse/XWIKI-21484https://jira.xwiki.org/browse/XWIKI-21485https://jira.xwiki.org/browse/XWIKI-21486https://jira.xwiki.org/browse/XWIKI-21487https://jira.xwiki.org/browse/XWIKI-21488https://jira.xwiki.org/browse/XWIKI-21489