CVE-2024-55662: XWiki allows remote code execution through the extension sheet

10.0 CVSS

Description

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.

Classification

CVE ID: CVE-2024-55662

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

Affected Products

Vendor: xwiki

Product: xwiki-platform

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.83% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5
https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8
https://jira.xwiki.org/browse/XWIKI-21890

Timeline

2024-12-12 20:15:18 UTC
Github Advisory Database (Maven)

[org.xwiki.platform:xwiki-platform-repository-server-ui] XWiki allows remote code execution through the extension sheet
2024-12-13 00:30:50 UTC
CVE

XWiki allows remote code execution through the extension sheet