CVE-2024-55877: XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
First published: Thu Dec 12 2024(Updated: )
### Impact Any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type `XWiki.WikiMacroClass`. Set "Macro Id", "Macro Name" and "Macro Code" to any value, "Macro Visibility" to `Current User` and "Macro Description" to `{{async}}{{groovy}}println("Hello from User macro!"){{/groovy}}{{/async}}`. Save the page, then go to `<host>/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList`. If the description of your new macro reads "Hello from User macro!", then your instance is vulnerable. ### Patches This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. ### Workarounds It is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3#diff-92fee29683e671b8bc668e3cf4295713d6259f715e3954876049f9de77c0a9ef) to the page `XWiki.XWikiSyntaxMacrosList`. ### References * https://jira.xwiki.org/browse/XWIKI-22030 * https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.xwiki.platform:xwiki-platform-help-ui | >=16.5.0-rc-1<16.5.0 | 16.5.0 |
| maven/org.xwiki.platform:xwiki-platform-help-ui | >=16.0.0-rc-1<16.4.1 | 16.4.1 |
| maven/org.xwiki.platform:xwiki-platform-help-ui | >=9.7-rc-1<15.10.11 | 15.10.11 |
| Xwiki | >=9.7<15.10.11 | |
| Xwiki | >=16.0.0<16.4.1 | |
| Xwiki | =16.5.0-rc1 | |
| >=9.7<15.10.11 | ||
| >=16.0.0<16.4.1 | ||
| =16.5.0-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c
- https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3
- https://jira.xwiki.org/browse/XWIKI-22030
- https://nvd.nist.gov/vuln/detail/CVE-2024-55877
- https://github.com/advisories/GHSA-2r87-74cx-2p7c (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-55877?
CVE-2024-55877 is classified as a critical vulnerability due to its potential for arbitrary remote code execution by any authenticated user.
How do I fix CVE-2024-55877?
To remediate CVE-2024-55877, upgrade to the fixed versions of the affected package, specifically 16.5.0, 16.4.1, or 15.10.11.
Who is affected by CVE-2024-55877?
Any user with an account on XWiki installations that are running versions prior to the fixed releases is vulnerable to CVE-2024-55877.
What type of exposure does CVE-2024-55877 create?
CVE-2024-55877 exposes the XWiki installation to risks related to confidentiality, integrity, and availability due to the potential for executing arbitrary code.
What actions should be taken if my system is vulnerable to CVE-2024-55877?
If your system is affected by CVE-2024-55877, it is crucial to apply the necessary updates immediately to mitigate any risk.
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2r87-74cx-2p7c
- alias/CVE-2024-55877
- agent/software-canonical-lookup
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- source/NVD
- agent/trending
- collector/github-advisory
- agent/source
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/weakness
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-api
- package-manager/maven
- vendor/xwiki
- canonical/xwiki
- version/xwiki/9.7
- version/xwiki/16.0.0
- version/xwiki/16.5.0-rc1