CVE-2024-43401: In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them
A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time.
References
- github.com/advisories/GHSA-f963-4cq8-2gw7
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7
- jira.xwiki.org/browse/XWIKI-20331
- jira.xwiki.org/browse/XWIKI-21311
- jira.xwiki.org/browse/XWIKI-21481
- jira.xwiki.org/browse/XWIKI-21482
- jira.xwiki.org/browse/XWIKI-21483
- jira.xwiki.org/browse/XWIKI-21484
- jira.xwiki.org/browse/XWIKI-21485
- jira.xwiki.org/browse/XWIKI-21486
- jira.xwiki.org/browse/XWIKI-21487
- jira.xwiki.org/browse/XWIKI-21488
- jira.xwiki.org/browse/XWIKI-21489
- jira.xwiki.org/browse/XWIKI-21490
- nvd.nist.gov/vuln/detail/CVE-2024-43401
Detect and mitigate CVE-2024-43401 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →