Login Sign Up

CVE-2024-37901

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows any user with edit rights on any XWiki page to perform arbitrary remote code execution by adding specific objects to their user profile or other pages. This compromises the entire XWiki installation's confidentiality, integrity, and availability. All XWiki installations with users having edit permissions are affected.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: All versions before 14.10.21, 15.5.5, and 15.10.2
Operating Systems: All platforms running XWiki
Default Config Vulnerable: ⚠️ Yes
Notes: Default XWiki installations typically allow users to edit their own profiles, making most deployments vulnerable.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise: attacker gains full control over the XWiki server, can execute arbitrary commands, access/modify all data, and potentially pivot to other systems.

🟠

Likely Case

Attacker with edit rights (common in collaborative wikis) executes malicious code to steal sensitive data, deface content, or install backdoors.

🟢

If Mitigated

Limited impact if edit rights are strictly controlled and only granted to highly trusted users, though risk remains for those users.

🌐 Internet-Facing: HIGH - Any internet-facing XWiki instance with user edit capabilities is immediately vulnerable to exploitation.
🏢 Internal Only: HIGH - Internal instances are equally vulnerable; any user with edit rights can exploit this regardless of network location.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires edit rights but is straightforward once those rights are obtained; weaponization is likely given the high impact and public advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.10.21, 15.5.5, or 15.10.2

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5

Restart Required: Yes

Instructions:

1. Identify your XWiki version. 2. Upgrade to 14.10.21, 15.5.5, or 15.10.2 depending on your branch. 3. Restart the XWiki application server.

🔧 Temporary Workarounds

Restrict Edit Permissions

all

Temporarily remove edit rights from all non-administrative users to prevent exploitation.

Use XWiki administration interface to modify global or space permissions, removing edit rights for users/groups.

🧯 If You Can't Patch

  • Immediately audit and restrict all user edit permissions to only absolutely necessary trusted administrators.
  • Monitor logs for suspicious activity related to XWiki.SearchSuggestConfig or XWiki.SearchSuggestSourceClass object creation.

🔍 How to Verify

Check if Vulnerable:

Check XWiki version via administration panel; if below 14.10.21, 15.5.5, or 15.10.2, you are vulnerable.

Check Version:

In XWiki, navigate to Administration > About or check the XWiki WAR file version.

Verify Fix Applied:

After patching, confirm version is 14.10.21, 15.5.5, or 15.10.2 or higher via administration panel.

📡 Detection & Monitoring

Log Indicators:

  • Log entries showing creation or modification of XWiki.SearchSuggestConfig or XWiki.SearchSuggestSourceClass objects by non-admin users.

Network Indicators:

  • Unusual outbound connections from XWiki server post-edit actions.

SIEM Query:

source="xwiki.log" AND ("XWiki.SearchSuggestConfig" OR "XWiki.SearchSuggestSourceClass") AND user!="admin"

📊 Metadata

CVE ID: CVE-2024-37901
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-95
Published: July 31, 2024
Last Updated: September 6, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37901, you might also want to check these:

CVE-2025-68271 10.0

OpenC3 COSMOS versions 5.0.0 through 6.10.1 contain a critical remote code execution vulnerability i...

Same vulnerability type (CWE-95)
CVE-2025-55727 10.0

CVE-2025-55727 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-95)
CVE-2025-54322 10.0

CVE-2025-54322 is an unauthenticated remote code execution vulnerability in Xspeeder SXZOS that allo...

Same vulnerability type (CWE-95)