CVE-2024-43400

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

Published: Aug 19, 2024
Updated: May 4, 2025
CVE: CVE-2024-43400
GHSA: GHSA-wcg9-pgqv-xm5v
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.xwiki.platform / xwiki-platform-oldcore	1.1.2	14.10.21
org.xwiki.platform / xwiki-platform-oldcore	15.0-rc-1	15.5.5
org.xwiki.platform / xwiki-platform-oldcore	15.6-rc-1	15.10.6
org.xwiki.platform / xwiki-platform-oldcore	16.0.0-rc-1	16.0.0-rc-1.x
org.xwiki.platform / xwiki-platform-oldcore	16.0.0-rc-1	16.0.0
xwiki / xwiki	15.6	15.10.6
xwiki / xwiki	15.0	15.5.5
xwiki / xwiki	-	14.10.21

Vulnerability Database

CVE-2024-43400

Deep Security Visibility Without the Complexity