CVE-2024-55879: XWiki allows RCE from script right in configurable sections

December 12, 2024

Any user with script rights can perform arbitrary remote code execution by adding instances of XWiki.ConfigurableClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on a instance, as a user with script rights, edit your user profile and add an object of type XWiki.ConfigurableClass (“Custom configurable sections”). Set “Display in section” and “Display in category” to other, “Scope” to Wiki and all spaces and “Heading” to:

References

github.com/advisories/GHSA-r279-47wg-chpr
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d
github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr
jira.xwiki.org/browse/XWIKI-21207
nvd.nist.gov/vuln/detail/CVE-2024-55879

Code Behaviors & Features

Detect and mitigate CVE-2024-55879 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →