critical
9.1
CWE
266 94
Advisory Published
CVE Published
Updated

CVE-2024-37899: Disabling a user account changes its author, allowing RCE from user account in XWiki

First published: Thu Jun 20 2024(Updated: )

### Impact When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. ### Patches This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-21611 * https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
maven/org.xwiki.platform:xwiki-platform-oldcore>=16.0.0-rc-1<16.0.0
16.0.0
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.6-rc-1<15.10.6
15.10.6
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0-rc-1<15.5.5
15.5.5
maven/org.xwiki.platform:xwiki-platform-oldcore>=13.10.3<14.10.21
14.10.21
maven/org.xwiki.platform:xwiki-platform-oldcore>=13.4.7<13.5
14.10.21
XWiki>=13.10.3<14.10.21
XWiki>=15.0<15.5.5
XWiki>=15.6<15.10.6
XWiki=13.4.7
XWiki=13.5-rc1
XWiki=16.0.0-rc1

Remedy

https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-37899?

    CVE-2024-37899 is classified as a high severity vulnerability due to its ability to execute malicious code with admin rights.

  • How do I fix CVE-2024-37899?

    To fix CVE-2024-37899, update to the patched versions 16.0.0, 15.10.6, 15.5.5, or 14.10.21 of org.xwiki.platform:xwiki-platform-oldcore.

  • What impact does CVE-2024-37899 have on user accounts?

    CVE-2024-37899 allows a user to execute code with an admin's privileges upon account disablement, potentially resulting in unauthorized actions.

  • Who is affected by CVE-2024-37899?

    CVE-2024-37899 affects installations of org.xwiki.platform:xwiki-platform-oldcore prior to the remediation versions.

  • Can I exploit CVE-2024-37899 without admin rights?

    Yes, an attacker can exploit CVE-2024-37899 by embedding malicious code in their user profile before an admin disables their account.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203