- Description
- XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5 and 14.3-rc-1. There is no known workaround, other than upgrading XWiki.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 4.0
- Type
- Secondary
- Base score
- 8.6
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-116
- Hype score
- Not currently trending
CVE-2024-55663 HQL Injection Vulnerability in XWiki Exposes Sensitive Data XWiki Platform is a wiki tool. In versions from 11.10.6 up to before 13.10.5 and 14.3-rc-1, there's an issue in `getdocument.vm`. It uses... https://t.co/xCSvuudxzq
@VulmonFeeds
13 Dec 2024
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-55663: HIGH] XWiki Platform versions below 13.10.5 and 14.3-rc-1 are vulnerable to injection attacks via `getdocument.vm`, allowing attackers to access sensitive data. Ensure to update XWiki for protect...#cybersecurity,#vulnerability https://t.co/suHUOkWKU6 https://t.c
@CveFindCom
12 Dec 2024
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0A5C5D20-B557-4CF7-B701-4C0F6609517B",
"versionEndExcluding": "13.10.5",
"versionStartIncluding": "6.4"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9B57E523-06A8-4964-84FE-361C9AA26990",
"versionEndExcluding": "14.3",
"versionStartIncluding": "14.0"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:6.3:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "939A1216-3065-4637-B747-CE8A5E194EEE"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:6.3:milestone2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6387A0C9-03A5-43B5-81CB-034A745FF4A0"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:6.3:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E603D197-FC4B-42C1-97EB-634021BB9C61"
}
],
"operator": "OR"
}
]
}
]