CVE-2024-21648

Description

### Impact The rollback action is missing a right protection: it means that a user can rollback to a previous version of the page to gain rights they don't have anymore. This vulnerability impacts all version of XWiki since rollback action is available. ### Patches The problem has been patched in XWiki 14.10.16, 15.5.3 and 15.8-rc-1 by ensuring that the rights are checked before performing the rollback. ### Workarounds There's no workaround for this vulnerability, except paying attention to delete old versions of documents that could allow users to gain more rights. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-21257 * Commit: [4de72875ca49602796165412741033bfdbf1e680](https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680) ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

How to fix CVE-2024-21648

To remediate CVE-2024-21648, upgrade the affected package to a fixed version below.

• —upgrade to 15.5.3 or later
• —upgrade to 14.10.17 or later

Is CVE-2024-21648 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 15.0-rc-1, < 15.5.3
• >= 1.0, < 14.10.17

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21648
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/1f3220f14bb3a4dcbd10d31134c39a06037f9a74
• WEBgithub.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680