CRITICAL🇵🇱 Wersja polska

CVE-2024-55877

CVSS 9.9v3.1pub. 2024-12-12upd. 2025-04-30

XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.

🤖 AI Analysis
How it works

The wiki macro creation mechanism (WikiMacroClass) does not require administrator privileges — a regular user account is sufficient. An attacker can add an appropriately crafted `XWiki.WikiMacroClass` instance to any page, which leads to arbitrary server-side code execution. The vulnerability is classified as indirect script injection (CWE-96) and code injection (CWE-94), and its scope extends beyond a single component context (CVSS Scope: Changed).

Impact

An attacker with any user account can take full control of the XWiki instance, gaining unauthorized access to data, the ability to modify it, and the ability to disrupt platform operations.

Mitigation & patch

XWiki Platform should be updated to version 15.10.11, 16.4.1, or 16.5.0. As a workaround, it is possible to manually apply a patch on the `XWiki.XWikiSyntaxMacrosList` page in accordance with the vendor's reference instructions.

Who is affected

XWiki Platform versions from 9.7-rc-1 to 15.10.10 inclusive, as well as versions from the 16.x branch before 16.4.1 and 16.5.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Xwiki

    APP
    Xwiki
    16.5.09.7 – 15.10.11 (bez)16.0.0 – 16.4.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam produkt

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-55747CRITICAL9.3PL ✓ten sam produkt

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)

CVE-2025-55748CRITICAL9.3PL ✓ten sam produkt

XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych

CVE-2025-32429CRITICAL9.3PL ✓ten sam produkt

SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm

CVE-2025-53836CRITICAL9.9PL ✓ten sam produkt

XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra

CVE-2024-55877 — Xwiki — CRITICAL — CVSS 9.9 | CVEbaza.pl