{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-55876","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-12-11T15:46:36.421Z","datePublished":"2024-12-12T18:59:49.733Z","dateUpdated":"2024-12-13T14:55:19.672Z"},"containers":{"cna":{"title":"XWiki's scheduler in subwiki allows scheduling operations for any main wiki user","problemTypes":[{"descriptions":[{"cweId":"CWE-862","lang":"en","description":"CWE-862: Missing Authorization","type":"CWE"}]}],"metrics":[{"cvssV3_0":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","version":"3.0"}}],"references":[{"name":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6","tags":["x_refsource_CONFIRM"],"url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cwq6-mjmx-47p6"},{"name":"https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331","tags":["x_refsource_MISC"],"url":"https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331"},{"name":"https://jira.xwiki.org/browse/XWIKI-21663","tags":["x_refsource_MISC"],"url":"https://jira.xwiki.org/browse/XWIKI-21663"}],"affected":[{"vendor":"xwiki","product":"xwiki-platform","versions":[{"version":">= 1.2-milestone-2, < 15.10.9","status":"affected"},{"version":">= 16.0.0-rc-1, < 16.3.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-12-12T18:59:49.733Z"},"descriptions":[{"lang":"en","value":"XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch."}],"source":{"advisory":"GHSA-cwq6-mjmx-47p6","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://jira.xwiki.org/browse/XWIKI-21663","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-12-13T14:52:05.467259Z","id":"CVE-2024-55876","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-13T14:55:19.672Z"}}]}}