CVE-2024-37901
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
Description
### Impact Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, as a user without script nor programming rights, add an object of type `XWiki.SearchSuggestConfig` to your profile page, and an object of type `XWiki.SearchSuggestSourceClass` as well. On this last object, set both `name` and `icon` properties to `$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')")` and `limit` and `engine` to `{{/html}}{{async}}{{velocity}}$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')"){{/velocity}}{{/async}}`. Save and display the page. If the logs contain any message `ERROR attacker - I got programming: true` then the instance is vulnerable. ### Patches This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2. ### Workarounds We're not aware of any workaround except upgrading. ### References - https://jira.xwiki.org/browse/XWIKI-21473 - https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e
How to fix CVE-2024-37901
To remediate CVE-2024-37901, upgrade the affected package to a fixed version below.
- —upgrade to 14.10.21 or later
Is CVE-2024-37901 being exploited?
Moderate — EPSS is 9.7%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 9.2-rc-1, < 14.10.21