CVE-2024-43401

Sažetak

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.

Reference

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7
https://jira.xwiki.org/browse/XWIKI-20331
https://jira.xwiki.org/browse/XWIKI-21311
https://jira.xwiki.org/browse/XWIKI-21481
https://jira.xwiki.org/browse/XWIKI-21482
https://jira.xwiki.org/browse/XWIKI-21483
https://jira.xwiki.org/browse/XWIKI-21484
https://jira.xwiki.org/browse/XWIKI-21485
https://jira.xwiki.org/browse/XWIKI-21486
https://jira.xwiki.org/browse/XWIKI-21487
https://jira.xwiki.org/browse/XWIKI-21488
https://jira.xwiki.org/browse/XWIKI-21489
https://jira.xwiki.org/browse/XWIKI-21490

CVSS

Base:	8.0
Impact:	5.9
Exploitability:	2.1

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

20-08-2024 - 16:09

Objavljeno

19-08-2024 - 17:15