CRITICAL🇵🇱 Wersja polska

CVE-2024-55662

CVSS 9.9v3.1pub. 2024-12-12upd. 2025-04-30

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.

🤖 AI Analysis
How it works

The bug results from improper permission verification (CWE-863) and the possibility of script code injection and execution (CWE-94, CWE-96) in the context of XWiki pages. An attacker with basic access to the XWiki instance can exploit the ExtensionCode.ExtensionSheet or ExtensionCode.ExtensionAuthorsDisplayer pages to execute arbitrary code with programmer privilege level. No interaction from other users or privilege escalation beyond the vulnerability mechanism itself is required.

Impact

An attacker can execute arbitrary code on the server with the highest application privileges (programming rights), which in practice means complete takeover of the XWiki instance, access to sensitive data, modification of wiki content, and potential compromise of system integrity and availability.

Mitigation & patch

XWiki Platform should be updated to version 15.10.9 or 16.3.0. As a workaround, the Extension Repository Application can be disabled if not used. It is also possible to manually apply patches from commit 8659f17d500522bf33595e402391592a35a162e8 on the ExtensionCode.ExtensionSheet and ExtensionCode.ExtensionAuthorsDisplayer pages.

Who is affected

XWiki Platform versions from 3.3-milestone-1 to 15.10.8 and from 16.0.0 to 16.2.x, with the Extension Repository Application installed

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Xwiki

    APP
    Xwiki
    3.3 – 15.10.9 (bez)16.0.0 – 16.3.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam produkt

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-55747CRITICAL9.3PL ✓ten sam produkt

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)

CVE-2025-55748CRITICAL9.3PL ✓ten sam produkt

XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych

CVE-2025-32429CRITICAL9.3PL ✓ten sam produkt

SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm

CVE-2025-53836CRITICAL9.9PL ✓ten sam produkt

XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra

CVE-2024-55662 — Xwiki — CRITICAL — CVSS 9.9 | CVEbaza.pl