{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-55879","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-12-11T15:46:36.421Z","datePublished":"2024-12-12T19:17:38.138Z","dateUpdated":"2024-12-13T14:54:21.161Z"},"containers":{"cna":{"title":"XWiki allows RCE from script right in configurable sections","problemTypes":[{"descriptions":[{"cweId":"CWE-862","lang":"en","description":"CWE-862: Missing Authorization","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr","tags":["x_refsource_CONFIRM"],"url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr"},{"name":"https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d","tags":["x_refsource_MISC"],"url":"https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d"},{"name":"https://jira.xwiki.org/browse/XWIKI-21207","tags":["x_refsource_MISC"],"url":"https://jira.xwiki.org/browse/XWIKI-21207"}],"affected":[{"vendor":"xwiki","product":"xwiki-platform","versions":[{"version":">= 2.3, < 15.10.9","status":"affected"},{"version":">= 16.0.0-rc-1, < 16.3.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-12-12T19:17:38.138Z"},"descriptions":[{"lang":"en","value":"XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading."}],"source":{"advisory":"GHSA-r279-47wg-chpr","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-12-13T14:50:04.671966Z","id":"CVE-2024-55879","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-13T14:54:21.161Z"}}]}}