CVE-2024-55876: XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

December 12, 2024

Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation (e.g., Trigger) on any job. If the operation is successful, then the instance is vulnerable.

References

github.com/advisories/GHSA-cwq6-mjmx-47p6
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331
github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6
jira.xwiki.org/browse/XWIKI-21663
nvd.nist.gov/vuln/detail/CVE-2024-55876

Detect and mitigate CVE-2024-55876 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →