CVE-2024-55877: 
Java vulnerability analysis and mitigation

CVE-2024-55877 affects XWiki Platform, a generic wiki platform. The vulnerability was discovered in versions starting from 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0. The issue was disclosed on December 12, 2024, and allows any authenticated user to perform arbitrary remote code execution by adding instances of XWiki.WikiMacroClass to any page (GitHub Advisory).

The vulnerability stems from insufficient input validation in the macro description handling system. Authenticated users without script or programming rights can exploit this by adding an object of type XWiki.WikiMacroClass to any page and injecting malicious code through the macro description field. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating a network-accessible attack with low complexity requirements (NVD).

The vulnerability compromises the confidentiality, integrity, and availability of the entire XWiki installation. Successful exploitation allows attackers to execute arbitrary code with the system's privileges, potentially leading to complete system compromise (GitHub Advisory).

The vulnerability has been patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0. For users unable to upgrade immediately, a manual workaround is available by applying a patch to the page XWiki.XWikiSyntaxMacrosList (GitHub Advisory).