CVE-2024-41947
Published: 31 July 2024
Summary
CVE-2024-41947 is a critical-severity Basic XSS (CWE-80) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Platform, a generic wiki platform for building applications, contains a cross-site scripting vulnerability tracked as CVE-2024-41947. The flaw allows an attacker to inject and execute JavaScript by deliberately creating an edit conflict against a page being modified by a higher-privileged user, resulting in script execution in that user's browser session and full compromise of the XWiki instance's confidentiality, integrity, and availability. The issue is classified under CWE-79 and CWE-80 and carries a CVSS 3.1 score of 9.0.
An authenticated user with basic editing rights can trigger the attack by forcing a conflict during another user's editing session; the injected JavaScript then runs with the privileges of the targeted higher-rights user, enabling actions such as data exfiltration or privilege escalation across the installation.
The vulnerability has been addressed in the official patches released for XWiki 15.10.8 and 16.3.0RC1, with the fixes documented in the project's GitHub security advisory and corresponding commits that prevent malicious conflict payloads from executing scripts.
The EPSS score remains flat at 0.1301 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2277
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on…
more
the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.