Cyber Resilience

CVE-2022-24821

MediumPublic PoC

Published: 08 April 2022

Published
08 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0070 72.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24821 is a medium-severity Incorrect Use of Privileged APIs (CWE-648) vulnerability in Xwiki Xwiki. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or…

more

JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
13.10 · 12.0.0 — 12.10.11 · 13.4.0 — 13.4.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References