CVE-2024-55662: XWiki allows remote code execution through the extension sheet

December 12, 2024

On instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server. In order to reproduce on an instance, as a normal user without script nor programming rights, go to your profile and add an object of type ExtensionCode.ExtensionClass. Set the description to {{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}} and press Save and View. If the description displays as Hello from Description without any error, then the instance is vulnerable.

References

github.com/advisories/GHSA-j2pq-22jj-4pm5
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8
github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5
jira.xwiki.org/browse/XWIKI-21890
nvd.nist.gov/vuln/detail/CVE-2024-55662

Detect and mitigate CVE-2024-55662 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →