Lucene search

GoogleOSV:CVE-2024-41947

HistoryJul 31, 2024 - 4:15 p.m.

CVE-2024-41947

2024-07-3116:15:04

Google

osv.dev

xwiki platform

security vulnerability

patched versions

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.002

Percentile

54.7%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.

References

github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f

github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34

github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x

jira.xwiki.org/browse/XWIKI-21626

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.002

Percentile

54.7%

JSON

Related for OSV:CVE-2024-41947