CVE-2024-37900 — XWiki Platform is a generic wiki platform offering runtime services for applicat
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading
Published
2024-07-31T15:15:31.013Z
Last modified
2024-08-13T13:37:13.581Z
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
01What is this vulnerability?
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user…
02Affected products
| Vendor | Product | Versions |
|---|
| xwiki | xwiki | platform — >= 4.2-milestone-3, < 14.10.21, >= 15.0-rc-1, < 15.5.5, >= 15.6-rc-1, < 15.10.6, >= 16.0.0-rc-1, < 16.0.0 |
03Active exploitation status
Not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. EPSS is the best forward-looking signal — see the EPSS row above.
04Recommended remediation
- Patch to a fixed version listed in the vendor advisory (see references below).
- Mitigate with WAF rules, network egress filters, or feature flags where the patch is not yet available.
- Hunt historical logs for exploitation indicators — see Detection signatures below.
05Technical details
For the full vendor write-up, exploit chains, and reference implementations, see the references list in section 09.
06Detection signatures
Open the Sigma generator with a pre-filled prompt for this CVE to draft a starting detection in your stack of choice:
Open in Sigma generator →
07Related CVEs
No directly-cited follow-up CVEs in the KB record for this advisory. The references list in section 09 carries the vendor cross-references.
08Timeline
- Published: 2024-07-31T15:15:31.013Z
- Last modified: 2024-08-13T13:37:13.581Z
09References
- github.com — https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g
- github.com — https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e…
- github.com — https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc0…
- github.com — https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f1…
- github.com — https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28…
- jira.xwiki.org — https://jira.xwiki.org/browse/XWIKI-19602
- jira.xwiki.org — https://jira.xwiki.org/browse/XWIKI-19611
- jira.xwiki.org — https://jira.xwiki.org/browse/XWIKI-21769
Want this in your SOAR or SIEM?
SARA's API returns EPSS, CVSS, KEV, and an analyst-grade summary in one call.
Read the API reference →