NVD Vulnerability Detail

CVE-2024-37900

Summary	XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
Publication Date	Aug. 1, 2024, 1:15 a.m.
Registration Date	Aug. 1, 2024, 10 a.m.
Last Update	Sept. 7, 2024, 6:06 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g	Vendor Advisory
2	https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28	Patch
3	https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd	Patch
4	https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949	Patch
5	https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f	Patch
6	https://jira.xwiki.org/browse/XWIKI-19602	Exploit Issue Tracking
7	https://jira.xwiki.org/browse/XWIKI-19611	Exploit Issue Tracking
8	https://jira.xwiki.org/browse/XWIKI-21769	Exploit Issue Tracking

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-94	コード・インジェクション	https://cwe.mitre.org/data/definitions/94.html

JVN Vulnerability Information

XWiki の xwiki におけるコードインジェクションの脆弱性

Title	XWiki の xwiki におけるコードインジェクションの脆弱性
Summary	XWiki の xwiki には、コードインジェクションの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	July 31, 2024, midnight
Registration Date	Sept. 9, 2024, 10:17 a.m.
Last Update	Sept. 9, 2024, 10:17 a.m.

Affected System

XWiki

xwiki 15.0 以上 15.5.5 未満

xwiki 15.6 以上 15.10.6 未満

xwiki 16.0

xwiki 4.2

xwiki 4.2 より大きい 14.10.21 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-37900	https://www.cve.org/CVERecord?id=CVE-2024-37900
National Vulnerability Database (NVD)
2	CVE-2024-37900	https://nvd.nist.gov/vuln/detail/CVE-2024-37900

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-94	https://jvndb.jvn.jp/ja/cwe/CWE-94.html

その他

No	Name	URL
関連文書
1	github.com (6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28)	https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28
2	github.com (8b8a2d80529b9a9c038014c1eb6c2adc08069dfd)	https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd
3	github.com (910a5018a50039e8b24556573dfe342f143ef949)	https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949
4	github.com (9df46f8e5313af46f93bccd1ebc682e28126573f)	https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f
5	github.com (GHSA-wf3x-jccf-5g5g)	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g
6	jira.xwiki.org (XWIKI-19602)	https://jira.xwiki.org/browse/XWIKI-19602
7	jira.xwiki.org (XWIKI-19611)	https://jira.xwiki.org/browse/XWIKI-19611
8	jira.xwiki.org (XWIKI-21769)	https://jira.xwiki.org/browse/XWIKI-21769

Change Log

No	Changed Details	Date of change
1	[2024年09月09日] 掲載	Sept. 9, 2024, 10 a.m.