CVE-2024-38369

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-38369

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38369.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-38369

Aliases

GHSA-qcj3-wpgm-qpxh

Published

2024-06-24T16:39:37.695Z

Modified

2026-02-07T05:27:43.652549Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

XWiki programming rights may be inherited by inclusion

Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using {{include reference="targetdocument"/}} is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the include macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38369.json"
}

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fdba4ca1398766e912f7888af5bdefbeef60d8b0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38369.json"

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

2fb90a0ce754017c7c457f12aeec3ca32b6ed310

Fixed

96b4a230ee41ef74268c9720722f6473c705583d

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38369.json"