CVE-2024-43400
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') (CWE-96)
Summary
A vulnerability in XWiki Platform allows a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineering to trick a user into following the URL. The vulnerability involves creating a document with a specific name containing JavaScript code, editing the class, adding a string property, and then getting an admin to open a specially crafted URL.
Impact
If successfully exploited, this vulnerability could lead to the execution of arbitrary JavaScript code in the context of a victim's browser. This could result in data theft, manipulation of wiki content, or disruption of the wiki platform's functionality. The attack vector is network-based, with low attack complexity, requiring low privileges and user interaction. The CVSS v3.1 base score is 9.0, indicating a critical severity level. The vulnerability affects confidentiality, integrity, and availability with high impact.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
Patches are available. This vulnerability has been fixed in XWiki versions 14.10.21, 15.5.5, 15.10.6, and 16.0.0. Organizations using XWiki should update to one of these patched versions or later.
Mitigation
1. Update XWiki Platform to one of the patched versions: 14.10.21, 15.5.5, 15.10.6, or 16.0.0. 2. Implement user awareness training to educate users about the risks of clicking on suspicious URLs, especially those related to the wiki platform. 3. Consider implementing additional security controls such as Content Security Policy (CSP) to restrict the execution of arbitrary scripts. 4. Regularly review and restrict user permissions, ensuring the principle of least privilege is followed. 5. Monitor for suspicious activities or unusual URL patterns that might indicate exploitation attempts.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Timeline
Feedly found the first article mentioning CVE-2024-43400. See article
Feedly estimated the CVSS score as MEDIUM
Feedly estimated the CVSS score as HIGH
A CVSS base score of 5.4 has been assigned.