Back

CVE-2024-43401

Aug. 19, 2024, 6:36 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

XWiki Platform

  • 15.10RC1

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-269
2024-08-19
CVE-2024-43401

CVE-2024-43401 details

Published : Aug. 19, 2024, 5:15 p.m.
Last Modified : Aug. 19, 2024, 6:36 p.m.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.

CVSS Score

1 2 3 4 5 6 7 8 9.0 10

Weakness

Weakness Name Description
CWE-269 Improper Privilege Management The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

9.0

Exploitability Score

2.3

Impact Score

6.0

Base Severity

CRITICAL

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References

URL Source
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20331 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21311 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21481 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21482 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21483 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21484 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21485 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21486 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21487 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21488 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21489 security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-21490 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.