Products
XWiki Platform
- 14.10.21
- 15.5.5
- 15.10.6
- 16.0.0
Source
security-advisories@github.com
Tags
CVE-2024-43400 details
Published : Aug. 19, 2024, 5:15 p.m.
Last Modified : Aug. 19, 2024, 6:36 p.m.
Last Modified : Aug. 19, 2024, 6:36 p.m.
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9.0 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
9.0
Exploitability Score
2.3
Impact Score
6.0
Base Severity
CRITICAL
Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
References
| URL | Source |
|---|---|
| https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c | security-advisories@github.com |
| https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v | security-advisories@github.com |
| https://jira.xwiki.org/browse/XWIKI-21810 | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.