Back

CVE-2024-37900

July 31, 2024, 4:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

XWiki Platform

  • 14.10.21
  • 15.5.5
  • 15.10.6
  • 16.0.0

Source

security-advisories@github.com

Tags

security-advisories@github.com
2024-07-31
CVE-2024-37900
CWE-96

CVE-2024-37900 details

Published : July 31, 2024, 4:15 p.m.
Last Modified : July 31, 2024, 4:15 p.m.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

CVSS Score

1 2 3 4 5 6.4 7 8 9 10

Weakness

Weakness Name Description
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

6.4

Exploitability Score

1.2

Impact Score

5.2

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

References

URL Source
https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28 security-advisories@github.com
https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd security-advisories@github.com
https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949 security-advisories@github.com
https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-19602 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-19611 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21769 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.