10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-55877

GHSA ID

GHSA-2r87-74cx-2p7c

EPSS Score

0.98348%

CWE

CWE-96

Published

12/12/2024

Updated

12/12/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-55877

CVE-2024-55877: XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList

Impact

Any user with an account can perform arbitrary remote code execution by adding instances of XWiki.WikiMacroClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type XWiki.WikiMacroClass. Set "Macro Id", "Macro Name" and "Macro Code" to any value, "Macro Visibility" to Current User and "Macro Description" to {{async}}{{groovy}}println("Hello from User macro!"){{/groovy}}{{/async}}. Save the page, then go to <host>/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList. If the description of your new macro reads "Hello from User macro!", then your instance is vulnerable.

Patches

This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0.

Workarounds

It is possible to manually apply this patch to the page XWiki.XWikiSyntaxMacrosList.

References

https://jira.xwiki.org/browse/XWIKI-22030
https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-55877

GHSA ID

GHSA-2r87-74cx-2p7c

EPSS Score

0.98348%

CWE

CWE-96

Published

12/12/2024

Updated

12/12/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-help-ui	maven	>= 9.7-rc-1, < 15.10.11	15.10.11
org.xwiki.platform:xwiki-platform-help-ui	maven	>= 16.0.0-rc-1, < 16.4.1	16.4.1
org.xwiki.platform:xwiki-platform-help-ui	maven	>= 16.5.0-rc-1, < 16.5.0	16.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper output escaping in the XWikiSyntaxMacrosList page's rendering logic. The #translateOrElse macro in the Velocity template handled untrusted user input (macro descriptions) without adequate escaping. Before the patch, when a translation key wasn't found, it directly output the fallback value ($fallback) without sanitization. This allowed attackers to inject Groovy code via macro descriptions that would execute when the macros list was rendered. The commit 40e1afe explicitly adds $services.rendering.escape() to the fallback output path, confirming this was the vulnerable code path. The test cases added in the patch verify proper escaping of dangerous characters, further validating this as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny us*r wit* *n ***ount **n p*r*orm *r*itr*ry r*mot* *o** *x**ution *y ***in* inst*n**s o* `XWiki.WikiM**ro*l*ss` to *ny p***. T*is *ompromis*s t** *on*i**nti*lity, int**rity *n* *v*il**ility o* t** w*ol* XWiki inst*ll*tion. To r*pro*u**

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *s**pin* in t** XWikiSynt*xM**rosList p***'s r*n**rin* lo*i*. T** #tr*nsl*t*Or*ls* m**ro in t** V*lo*ity t*mpl*t* **n*l** untrust** us*r input (m**ro **s*riptions) wit*out ***qu*t* *s**pin*. ***or* t** p*t

10

Basic Information

Concerned about an active attack path?

CVE-2024-55877: XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList

Impact

Patches

Workarounds

References

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI