cve-2024-37900
Vulnerability from cvelistv5
Published
2024-07-31 15:15
Modified
2024-08-13 13:37
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
References
security-advisories@github.comhttps://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28Patch
security-advisories@github.comhttps://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfdPatch
security-advisories@github.comhttps://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949Patch
security-advisories@github.comhttps://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573fPatch
security-advisories@github.comhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5gVendor Advisory
security-advisories@github.comhttps://jira.xwiki.org/browse/XWIKI-19602Exploit, Issue Tracking
security-advisories@github.comhttps://jira.xwiki.org/browse/XWIKI-19611Exploit, Issue Tracking
security-advisories@github.comhttps://jira.xwiki.org/browse/XWIKI-21769Exploit, Issue Tracking
Impacted products
Vendor Product Version
xwiki xwiki-platform Version: >= 4.2-milestone-3, < 14.10.21
Version: >= 15.0-rc-1, < 15.5.5
Version: >= 15.6-rc-1, < 15.10.6
Version: >= 16.0.0-rc-1, < 16.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "xwiki",
                  vendor: "xwiki",
                  versions: [
                     {
                        lessThan: "14.10.21",
                        status: "affected",
                        version: "4.2-milestone-3",
                        versionType: "custom",
                     },
                     {
                        lessThan: "15.5.5",
                        status: "affected",
                        version: "15.0-rc-1",
                        versionType: "custom",
                     },
                     {
                        lessThan: "15.10.6",
                        status: "affected",
                        version: "15.6-rc",
                        versionType: "custom",
                     },
                     {
                        lessThan: "16.0.0",
                        status: "affected",
                        version: "16.0.0-rc-1",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-37900",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-08-01T14:43:57.149734Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-08-13T13:37:13.581Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "xwiki-platform",
               vendor: "xwiki",
               versions: [
                  {
                     status: "affected",
                     version: ">= 4.2-milestone-3, < 14.10.21",
                  },
                  {
                     status: "affected",
                     version: ">= 15.0-rc-1, < 15.5.5",
                  },
                  {
                     status: "affected",
                     version: ">= 15.6-rc-1, < 15.10.6",
                  },
                  {
                     status: "affected",
                     version: ">= 16.0.0-rc-1, < 16.0.0",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 6.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-96",
                     description: "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-07-31T15:15:31.013Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g",
            },
            {
               name: "https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28",
            },
            {
               name: "https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd",
            },
            {
               name: "https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949",
            },
            {
               name: "https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f",
            },
            {
               name: "https://jira.xwiki.org/browse/XWIKI-19602",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://jira.xwiki.org/browse/XWIKI-19602",
            },
            {
               name: "https://jira.xwiki.org/browse/XWIKI-19611",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://jira.xwiki.org/browse/XWIKI-19611",
            },
            {
               name: "https://jira.xwiki.org/browse/XWIKI-21769",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://jira.xwiki.org/browse/XWIKI-21769",
            },
         ],
         source: {
            advisory: "GHSA-wf3x-jccf-5g5g",
            discovery: "UNKNOWN",
         },
         title: "XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-37900",
      datePublished: "2024-07-31T15:15:31.013Z",
      dateReserved: "2024-06-10T19:54:41.362Z",
      dateUpdated: "2024-08-13T13:37:13.581Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-37900\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-31T16:15:03.440\",\"lastModified\":\"2025-01-10T16:54:03.820\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.\"},{\"lang\":\"es\",\"value\":\" XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Al cargar un archivo adjunto con un nombre de archivo malicioso, se podría ejecutar código JavaScript malicioso. Esto requiere un ataque de ingeniería social para lograr que la víctima cargue un archivo con un nombre malicioso. El código malicioso se ejecuta únicamente durante la carga y afecta únicamente al usuario que carga el archivo adjunto. Si bien esto permite realizar acciones en nombre de ese usuario, parece poco probable que un usuario no note el nombre de archivo malicioso al cargar el archivo adjunto. Esto ha sido parcheado en XWiki 14.10.21, 15.5.5, 15.10.6 y 16.0.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-96\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"4.2\",\"versionEndExcluding\":\"14.10.21\",\"matchCriteriaId\":\"6877989B-3406-4652-B0A5-65CA43981366\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"15.0\",\"versionEndExcluding\":\"15.5.5\",\"matchCriteriaId\":\"CA7D00D6-D2DD-4678-A328-5C2A7E96FE48\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"15.6\",\"versionEndExcluding\":\"15.10.6\",\"matchCriteriaId\":\"CCB0588B-7F74-423B-9D36-4B8E4F1BA459\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:4.2:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3C88F32-3EFB-4D0E-9046-D13157E6256F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:4.2:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC907C33-432E-4153-B1A2-9B8BF9167E1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:16.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B1CD131A-4CDE-4465-BA81-77A93AFF784B\"}]}]}],\"references\":[{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-19602\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-19611\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-21769\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-37900\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-01T14:43:57.149734Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\"], \"vendor\": \"xwiki\", \"product\": \"xwiki\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.2-milestone-3\", \"lessThan\": \"14.10.21\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"15.0-rc-1\", \"lessThan\": \"15.5.5\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"15.6-rc\", \"lessThan\": \"15.10.6\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"16.0.0-rc-1\", \"lessThan\": \"16.0.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-01T14:46:41.826Z\"}}], \"cna\": {\"title\": \"XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader\", \"source\": {\"advisory\": \"GHSA-wf3x-jccf-5g5g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"xwiki\", \"product\": \"xwiki-platform\", \"versions\": [{\"status\": \"affected\", \"version\": \">= 4.2-milestone-3, < 14.10.21\"}, {\"status\": \"affected\", \"version\": \">= 15.0-rc-1, < 15.5.5\"}, {\"status\": \"affected\", \"version\": \">= 15.6-rc-1, < 15.10.6\"}, {\"status\": \"affected\", \"version\": \">= 16.0.0-rc-1, < 16.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g\", \"name\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28\", \"name\": \"https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd\", \"name\": \"https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949\", \"name\": \"https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f\", \"name\": \"https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-19602\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-19602\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-19611\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-19611\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-21769\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-21769\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-96\", \"description\": \"CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-31T15:15:31.013Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-37900\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-13T13:37:13.581Z\", \"dateReserved\": \"2024-06-10T19:54:41.362Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-31T15:15:31.013Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.