critical
10
CWE
94 95
EPSS
0.585%
Advisory Published
Advisory Published
Updated

CVE-2024-21650: XWiki Remote Code Execution vulnerability via user registration

First published: Mon Jan 08 2024(Updated: )

### Impact XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests. To reproduce, register with any username and password and the following payload as "first name": `]]{{/html}}{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack succeeded){{/groovy}}{{/async}}`. In the following page that confirms the success of the registration, the full first name should be displayed, linking to the created user. If the formatting is broken and a log message with content "ERROR attacker - Attack succeeded!" is logged, the attack succeeded. ### Patches This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1. ### Workarounds In the administration of your wiki, under "Users & Rights" > "Registration" set the "Registration Successful Message" to the following code: ```velocity #set($message = $services.localization.render('core.register.successful', 'xwiki/2.1', ['USERLINK', $userName])) #set($userLink = $xwiki.getUserName("$userSpace$userName")) {{info}}$message.replace('USERLINK', "{{html clean=false}}$userLink{{/html}}"){{/info}} ``` ### References * https://jira.xwiki.org/browse/XWIKI-21173 * https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.6-rc-1<15.8-rc-1
15.8-rc-1
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.3
15.5.3
maven/org.xwiki.platform:xwiki-platform-administration-ui>=2.2<14.10.17
14.10.17
Xwiki<14.10.17
Xwiki>=15.0<15.5.3
Xwiki>=15.6<=15.7

Remedy

https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-21650?

    CVE-2024-21650 is classified as a critical vulnerability due to its potential for remote code execution.

  • How do I fix CVE-2024-21650?

    To fix CVE-2024-21650, upgrade to XWiki version 15.8-rc-1 or later, or apply the provided patches.

  • Which XWiki versions are affected by CVE-2024-21650?

    CVE-2024-21650 affects all XWiki versions prior to 15.8-rc-1, including versions between 15.0-rc-1 and 15.5.3.

  • Can CVE-2024-21650 be exploited remotely?

    Yes, CVE-2024-21650 can be exploited remotely by attackers through the user registration feature.

  • What kind of attack does CVE-2024-21650 facilitate?

    CVE-2024-21650 facilitates remote code execution attacks by allowing arbitrary code to be executed through crafted user input.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203