Cyber Resilience

CVE-2024-55662

CriticalPublic PoCRCE

Published: 12 December 2024

Published
12 December 2024
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1277 94.2th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55662 is a critical-severity Static Code Injection (CWE-96) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform contains a remote code execution vulnerability affecting the Extension Repository Application component. The flaw impacts versions from 3.3-milestone-1 through 15.10.8 and 16.2.x, where the application fails to enforce proper authorization checks, allowing unauthorized code execution that requires programming rights. The issue is tracked under CVEs associated with static code injection, incorrect authorization, and improper code generation controls, and carries a CVSS score of 9.9.

Any authenticated user on an affected instance with the Extension Repository Application enabled can exploit the vulnerability to run arbitrary server-side code. Successful exploitation grants full control equivalent to programming rights, enabling actions such as data exfiltration, system modification, or further lateral movement within the environment.

Official advisories recommend upgrading to XWiki 15.10.9 or 16.3.0 to resolve the issue. As a workaround, administrators can disable the Extension Repository Application on instances that do not require it, or manually apply the security patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the ExtensionCode.ExtensionSheet and ExtensionCode.ExtensionAuthorsDisplayer pages.

The EPSS score rose from a low baseline to a peak of 0.4754, indicating emerging exploitation interest after disclosure before receding to the current value of 0.1277.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability…

more

has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
3.3 — 15.10.9 · 16.0.0 — 16.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-96 CWE-94

Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.

addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

References