Platform
java
Component
org.xwiki.platform:xwiki-platform-oldcore
Fixed in
13.4.8
13.10.4
15.0.1
15.6.1
16.0.1
14.10.21
CVE-2024-37899 is a critical Remote Code Execution (RCE) vulnerability affecting XWiki Platform Oldcore versions before 14.10.21. An attacker can exploit this flaw by injecting malicious code into a user profile and then triggering its execution when an administrator disables that user's account, effectively gaining admin privileges. The vulnerability stems from improper handling of user profile execution during account disablement.
This vulnerability allows an unprivileged user to execute arbitrary code on the XWiki server with administrator privileges. The attack involves crafting a user profile containing Groovy code (e.g., {{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}) and then persuading an administrator to disable that user account. Upon disabling, the profile's code is executed under the administrator's context, granting the attacker full control over the system. The potential impact includes data breaches, system compromise, and complete takeover of the XWiki instance. This is a high-impact vulnerability due to the ease of exploitation and the severe consequences of a successful attack.
CVE-2024-37899 was publicly disclosed on June 20, 2024. No KEV listing is currently available. Public proof-of-concept code is likely to emerge given the vulnerability's ease of exploitation. Active exploitation is currently unconfirmed, but the critical severity and readily available reproduction steps suggest a high probability of exploitation in the near future. Refer to the XWiki security advisory for further details.
Exploit Status
EPSS
14.13% (94% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade XWiki Platform Oldcore to version 14.10.21 or later. Prior to upgrading, it is crucial to back up the XWiki instance to ensure data recovery in case of issues. If an upgrade is not immediately feasible, consider restricting administrator access and closely monitoring user account activity for suspicious modifications. While a direct workaround is not available, implementing strict input validation and sanitization on user profile data could reduce the attack surface, though this is not a substitute for patching. After upgrading, confirm the fix by attempting to disable a user account with a malicious profile and verifying that the Groovy code is not executed.
Update XWiki Platform to version 14.10.21, 15.5.5, 15.10.6 or 16.0.0, or a later version. This corrects the vulnerability that allows remote code execution when disabling a user account.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37899 is a critical Remote Code Execution vulnerability in XWiki Platform Oldcore versions before 14.10.21. Disabling a user account triggers execution of their profile with admin privileges, allowing malicious code injection.
You are affected if you are running XWiki Platform Oldcore versions prior to 14.10.21. Immediately check your version and upgrade if necessary.
Upgrade XWiki Platform Oldcore to version 14.10.21 or later. Back up your instance before upgrading.
Active exploitation is currently unconfirmed, but the critical severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official XWiki security advisory for detailed information and updates: [https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.