CVE-2024-37899: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a critical vulnerability (CVE-2024-37899) that allows unauthorized code execution. When an admin disables a user account, the user's profile is executed with the admin's rights, enabling users to place malicious code in their profile before an admin disables the account. This vulnerability was discovered in November 2023 and patched in January 2024, affecting versions from 13.4.7 through versions prior to 14.10.21, 15.5.5, 15.10.6, and 16.0.0 (GitHub Advisory).

The vulnerability stems from improper handling of user profile execution rights during account disabling. When an administrator disables a user account, the profile content is executed with administrative privileges. The vulnerability can be demonstrated by adding a Groovy script in the user profile's about section, which gets executed with admin rights when the account is disabled. The CVSS v3.1 score is 9.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), indicating high severity across confidentiality, integrity, and availability impacts (GitHub Advisory).

The vulnerability allows any user to execute arbitrary code with administrative privileges, potentially leading to complete system compromise. An attacker can achieve remote code execution by placing malicious code in their user profile and having an administrator disable their account. This impacts the confidentiality, integrity, and availability of the entire XWiki installation (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.21, 15.5.5, 15.10.6, and 16.0.0. There are no known workarounds for this vulnerability, and users are strongly advised to upgrade to the patched versions (GitHub Advisory).