Home/CVE/XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has
CVE

CVE-2024-37898

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored from there by an admin.

As the user is recorded as deleter, the user would in theory also be able to view the deleted content, but this is not directly possible as rights of the previous version are transferred to the new page and thus the user still doesn't have view right on the page. It therefore doesn't seem to be possible to exploit this to gain any rights. This has been patched in XWiki 14.10.21, 15.5.5 and 15.10.6 by cancelling save operations by users when a new document shall be saved despite the document's existing already.

MEDIUM · CVSS 4.3 EPSS 0.00174
Monitor
  • No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence
Sigma rules0 YARA rules0

Weakness Classification

CWE-862Missing Authorization
CWE-862Missing Authorization

Affected Products & Versions

5
xwiki>= 13.10.4 and < 14.0
xwiki>= 14.2 and < 14.10.21
xwiki> 15.0 and < 15.5.5
xwiki>= 15.6 and < 15.10.6
xwikiall versions

Affected Packages

1
Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
Maven org.xwiki.platform:xwiki-platform-oldcore MODERATE fixed in 14.10.21

Scoring & Timeline

4.3
MEDIUM · CVSS v3.1 · security-advisories@github.com
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD31 Jul 2024 · 04:15 PM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SSVC triage · cisa-vulnrichment
Exploitation
none
Automatable
no
Technical impact
partial
SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.
🔗

References & Sources

6
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://github.com/xwiki/xwiki-platform/commit/0bc27d6ec63c8a505ff950e2d1792cb4f773c22ePatch
https://github.com/xwiki/xwiki-platform/commit/56f5d8aab7371d5ba891168f73890806551322c5Patch
https://github.com/xwiki/xwiki-platform/commit/c5efc1e519e710afdf3c5f40c0fcc300ad77149fPatch
https://github.com/xwiki/xwiki-platform/commit/e4968fe268e5644ffd9bfa4ef6257d2796446009Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-33gp-gmg3-hfpqVendor Advisory
https://jira.xwiki.org/browse/XWIKI-21553Issue Tracking
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin