CVE-2024-55877
CRITICALDescription
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| xwiki | xwiki |
| xwiki | xwiki |
| xwiki | xwiki |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2024-55877? +
How severe is CVE-2024-55877? +
What products are affected by CVE-2024-55877? +
How do I check if I'm vulnerable to CVE-2024-55877? +
Related Vulnerabilities
In Tiny MoxieManager PHP before 4.0.0, remote code execution can occur in the installer command. This vulnerability allows unauthenticated attackers …
Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three …
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances …
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno module allows PHP Local File …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible …
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is …