GitHub_MVULNRICHMENT:CVE-2024-43400CVE-2024-43400 XWiki Platform allows XSS through XClass name in string properties
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.8%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki-platform:*:*:*:*:*:*:*:*"
],
"vendor": "xwiki",
"product": "xwiki-platform",
"versions": [
{
"status": "affected",
"version": "15.6-rc-1",
"lessThan": "15.10.2",
"versionType": "custom"
},
{
"status": "affected",
"version": "15.0-rc-1",
"lessThan": "15.5.5",
"versionType": "custom"
},
{
"status": "affected",
"version": "0",
"lessThan": "14.10.21",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
},
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki-platform:16.0.0-rc-1:*:*:*:*:*:*:*"
],
"vendor": "xwiki",
"product": "xwiki-platform",
"versions": [
{
"status": "affected",
"version": "16.0.0-rc-1"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.8%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total