CVE-2024-55876
CVSS V2 None
CVSS V3 None
Description
XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.
Overview
- CVE ID
- CVE-2024-55876
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-12-12T18:59:49.733Z
- Last Modified Date
- 2024-12-12T18:59:49.733Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6 | x_refsource_CONFIRM |
https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331 | x_refsource_MISC |
https://jira.xwiki.org/browse/XWIKI-21663 | x_refsource_MISC |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-55876 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55876 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-12-13 13:18:29 | Added to TrackCVE |