CVE-2024-37900
Published: 31 July 2024
Summary
CVE-2024-37900 is a medium-severity Static Code Injection (CWE-96) vulnerability in Xwiki Xwiki. Its CVSS base score is 6.4 (Medium).
Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform, a generic wiki platform, is affected by a client-side code injection vulnerability (CWE-94, CWE-96) that triggers when a user uploads an attachment whose filename contains malicious JavaScript. The flaw allows the injected script to execute in the browser during the upload process itself, with a CVSS 3.1 score of 6.4 reflecting the combination of network attack vector, high attack complexity, and required user interaction.
An attacker must first perform social engineering to convince a victim who possesses upload rights to submit a file with a crafted name. Successful exploitation runs arbitrary JavaScript solely in the context of the uploading user, enabling actions such as modifying content or performing privileged operations on that user’s behalf; the malicious filename is visible to the victim, limiting the practicality of the attack.
The vulnerability has been fixed in XWiki releases 14.10.21, 15.5.5, 15.10.6, and 16.0.0, as documented in the project’s GitHub security advisory and the associated code commits that sanitize attachment filenames before processing. The EPSS score remains flat at 0.0533 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2435
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the…
more
victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.