CVE-2024-43400
Published: 19 August 2024
Summary
CVE-2024-43400 is a critical-severity Static Code Injection (CWE-96) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Platform, a generic wiki platform that provides runtime services for applications, is affected by CVE-2024-43400. The flaw allows a user lacking Script or Programming rights to construct a URL that loads a page containing arbitrary JavaScript, corresponding to CWE-96 and CWE-79 weaknesses. The issue carries a CVSS 3.1 score of 9.0 and was disclosed on 2024-08-19.
An attacker can exploit the vulnerability by crafting a malicious URL and using social engineering to induce a victim to visit it. Successful exploitation enables the attacker to execute JavaScript in the context of the target user’s session, potentially achieving high impact on confidentiality, integrity, and availability.
The vulnerability has been addressed in the official patches released for XWiki versions 14.10.21, 15.5.5, 15.10.6, and 16.0.0, as documented in the project’s GitHub security advisory and the linked commit that resolves the underlying issue.
The associated EPSS score remains flat at 0.0727 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2676
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This…
more
requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.