CVE-2024-37899
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-37899
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37899.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-37899
- Aliases
- Published
- 2024-06-20T22:13:59.450Z
- Modified
- 2025-12-07T10:07:16.850176Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Disabling a user account changes its author, allowing RCE from user account in XWiki
- Details
-
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add
{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}. As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs showattacker - Hello from Groovy!then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.Workarounds
We're not aware of any workaround except upgrading.
References
- https://jira.xwiki.org/browse/XWIKI-21611
- https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37899.json", "cwe_ids": [ "CWE-94" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37899.json
- https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
- https://jira.xwiki.org/browse/XWIKI-21611
- https://nvd.nist.gov/vuln/detail/CVE-2024-37899
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1
Database specific
vanir_signatures
[
{
"digest": {
"function_hash": "89445654651191685638023215855337089439",
"length": 437.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-00e8a6d6",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "setEmailCheckedTrueNormalUser"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"112575048834069704545330351358115881563",
"146974504942555042984891297846870449541",
"298648748428709901574060292264348364953",
"106418264232468172142199064613606475823",
"221522821867113613314986996583286251044",
"524776929631791737224768806354080597",
"29675055587662100098509039081574199220",
"191747219794973388535799684955346280075",
"234652084940883551952662369307252336727",
"122691285487493070855295481101228548018",
"140853339434775986682289503141644996229",
"168495822808556555288639087418054465547",
"209919923114689296871685190516672455077",
"140568104804334662589465323130880389464",
"191709795002785325039817862804178901596",
"70747606877955237684057727500985449377",
"98382340823708675009789702839575396539",
"86896131535695028244021666962057913221",
"339834962085336781112033418675287650617",
"228905180445685623166195198879970905057",
"108360452894978131049818840990138750641",
"285710636445117680156488012093108200343",
"196866086465046788895307675830476406306",
"37119473197001088168128487425471510142",
"12406452235039334143777821270301288121",
"92492609257415188385630891449809454862",
"57939799343965672295020836722915300856",
"209626784479476873160556222005594396829",
"319080763497953195110545326354230804963",
"321084236004516141200413441001236300452",
"32966040412766717453928466150660661109",
"89826396482849590003531197183255550034",
"216454048707692728943159736952903033781",
"166413361930220508717421117935505358718",
"278906723262356918429434701536004411005",
"87363229729924038141613689558202205996",
"36104458492144368708589900455198919771",
"261070955520986681318617323492681034722",
"88067803301409717213680528854596392673",
"27444536097136724270250982191067070596",
"22319766023793304685598600177714225783",
"5097108950875079281099937478886176985",
"78590945172920988894356322540346464216",
"58396682572791055695757792099230823799",
"296010860916951023142814242707387466978",
"280670077815442915757583091554531178529",
"199018710619823860358962080499250416372",
"164431436366842029014698603973892486442",
"144306037174164585558589392273861492064",
"338524885954250488587459539113841387151",
"5097108950875079281099937478886176985",
"200816638555634772561517174825091674255",
"38762384453874972181370223667345165990",
"328691879660506804514161635339097594523",
"133890035335324963753128618266887588749",
"230337847645472825622366758595623892312",
"317409754510498091790044604661133381880",
"228380609208088783864902372869661135986",
"4757115582665782901670791815611826863",
"302230107614588084675079369168422953545",
"37455385707687726675602474478151595239",
"317409754510498091790044604661133381880",
"70481117417369714809288956558249780487",
"162671967772843275032557866873531721227",
"303750311999349711172232534621336537689",
"243714782381896463882614025696754058451",
"230337847645472825622366758595623892312",
"317409754510498091790044604661133381880",
"228380609208088783864902372869661135986",
"4757115582665782901670791815611826863",
"302230107614588084675079369168422953545",
"37455385707687726675602474478151595239",
"317409754510498091790044604661133381880",
"53638031017082498689591410726363425415",
"276217560600800490930215128000961992553",
"216878672423006716614944450633254554137",
"294968890789768750868651703159458541385",
"241429240656895534385892156441892319478",
"39200669032881489251751180589698544780",
"142822850165846349450962895665992616946",
"307688902490735714593412276183377759935",
"183141547366997291977018600945576370993",
"303575487563523948642059829690936390495",
"1312376915728599757575317091341374540",
"259205938693104951678895603031172306204",
"201775210781175115425148811567998093152",
"295401049573586472316252139028251102448",
"133085839211609299793920337277204457417",
"22020258817543812262990111435454149644",
"275659640991393531675531915817454094494",
"234073594349091528088792805489850860632",
"206997775760880507491386448907461914554",
"149510150835569130514783445364590771458",
"168090953188041034030140823424025565681",
"332290693584251437861947453950286329210",
"82222415225717087383821483473109583157",
"5097108950875079281099937478886176985",
"44629323575126441702704727186867972128",
"300544487158438656722377056635427277751",
"117224646968649732129455500212608080019",
"170727259951685942335596460883103929581",
"59052588520489507423958612059092995696",
"262438594225057628816571660330420868095",
"117501619747474972276680543552415723741",
"289485752305277713500858227040602267202",
"5097108950875079281099937478886176985",
"293374774238487229596091718489105654660",
"307373208402431064153139108427455468304",
"167227256922494108591602053298639316854",
"166238688699245050679328703668152329916",
"203894054552970234511400904309605071395",
"317409754510498091790044604661133381880",
"254659806419353013767944692383735736052",
"121457081239036704010344371320286484695",
"248167210373292212879119495776731996382",
"46348232827628875954102020259377817152",
"317409754510498091790044604661133381880",
"70481117417369714809288956558249780487",
"176992763039704448234914267172276494412",
"7795080119791656524608886079087484026",
"289206829395917275990850424700305640930",
"203894054552970234511400904309605071395",
"317409754510498091790044604661133381880",
"254659806419353013767944692383735736052",
"121457081239036704010344371320286484695",
"248167210373292212879119495776731996382",
"46348232827628875954102020259377817152",
"317409754510498091790044604661133381880",
"53638031017082498689591410726363425415",
"270145900113484023678902325551740251204"
]
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-0a0d271f",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java"
},
"deprecated": false,
"signature_type": "Line"
},
{
"digest": {
"function_hash": "222861640801273297744111025283902395544",
"length": 438.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-2a68879a",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "setEmailCheckedFalseNormalUser"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"function_hash": "16929914615700146451371052506229964154",
"length": 431.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-4f1c67f9",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "setDisabledFalseNormalUser"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"209355560678089071989225462384729124479",
"197978630566867896082268839429956135413",
"214870391938581826237418477783056693453",
"98431125126203871652409064999167864389",
"238188491692476934898189789932530189597",
"146780106252888982897475334361429492055",
"228199776260292724656358366394657291879",
"281450761905467474687430976303925478334",
"131758231576856553648834084346721806678",
"296272854624750240318655168307076940273",
"111260887317026237416559417073284434872",
"189331049079627167464327331881743173716",
"244987467695786336356236289899071672574",
"119820677183357709240295119927112073720"
]
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-5fd6e564",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/api/XWikiUser.java"
},
"deprecated": false,
"signature_type": "Line"
},
{
"digest": {
"function_hash": "42652475258571161167205966693063137722",
"length": 642.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-71229236",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "isDisabled"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"function_hash": "67913234380717230798481537670177202198",
"length": 1684.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-7183fe9e",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "setDisabledGuestOrSuperadminUser"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"function_hash": "282328623321898026961842108829825401221",
"length": 449.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-a53f63b8",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "setup"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"function_hash": "99813566171622649121727669642781982914",
"length": 656.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-a6562091",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "isEmailChecked"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"function_hash": "115253362566256030879669461428573240095",
"length": 560.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-b165f8e7",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/api/XWikiUser.java",
"function": "setDisabled"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"function_hash": "54753605841574666484427640738284223957",
"length": 430.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-d2697771",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "setDisabledTrueNormalUser"
},
"deprecated": false,
"signature_type": "Function"
},
{
"digest": {
"function_hash": "67913234380717230798481537670177202198",
"length": 1684.0
},
"source": "https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a",
"id": "CVE-2024-37899-fe7ae70e",
"signature_version": "v1",
"target": {
"file": "xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java",
"function": "setEmailCheckedGuestOrSuperadminUser"
},
"deprecated": false,
"signature_type": "Function"
}
]