CVE-2024-55876

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-55876

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55876.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-55876

Aliases

GHSA-cwq6-mjmx-47p6

Published

2024-12-12T18:59:49.733Z

Modified

2025-12-05T07:35:39.261801Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

Details

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation (e.g., Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on Scheduler.WebPreferences to match the patch.

Database specific

{
    "cwe_ids": [
        "CWE-862"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55876.json"
}

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3f100aee4c197e68d2986717a878d0bbd4fb0c22

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55876.json"

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

54bcc5a7a2e440cc591b91eece9c13dc0c487331

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2

xwiki-platform-7.4-milestone-1

xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1

xwiki-platform-8.0-milestone-2

xwiki-platform-8.1-milestone-1

xwiki-platform-8.1-milestone-2

xwiki-platform-8.2-milestone-1

xwiki-platform-8.2-milestone-2

xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1

Database specific

vanir_signatures

[
    {
        "digest": {
            "length": 1349.0,
            "function_hash": "320699107581045178202029475314457317510"
        },
        "id": "CVE-2024-55876-64018ff1",
        "source": "https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331",
        "signature_type": "Function",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-ui/src/test/java/org/xwiki/scheduler/ui/SchedulerPageTest.java",
            "function": "setUp"
        },
        "signature_version": "v1",
        "deprecated": false
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "46160026413921582650173818823406653908",
                "53394366996646667747230855980354624906",
                "328475681764110367668589555051324554285",
                "93757110941715075689404303730189585394",
                "2945587470618018015807513154073979190",
                "223659179877606088847008751106187876147",
                "117590846199278513449966482990812237134",
                "43376088918460774220711317085128669976",
                "298879766897520214873839442708812904055",
                "275296427927977162491138040574253409185",
                "32716400321826755511660945267566513297",
                "9101197268986673535591384068308652669",
                "135547552173379052912357377076235266742",
                "173665972753598113912933213513314952833",
                "201731330622560764930679738265060345690",
                "163667138149446606057957718696297844299",
                "133418458471533577780772821660904057879",
                "206941301287037684489017932711097277881",
                "166173430592326304272808121030693592298",
                "139291846678229305091523637256576183177",
                "321866523414477752185910432791875176648",
                "328233122640759864520580522136597488730",
                "75507021343667284522501236673242030840",
                "86621556755989173500902081581790208064"
            ]
        },
        "id": "CVE-2024-55876-984dcf7a",
        "source": "https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331",
        "signature_type": "Line",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-ui/src/test/java/org/xwiki/scheduler/ui/SchedulerPageTest.java"
        },
        "signature_version": "v1",
        "deprecated": false
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55876.json"