CVE-2024-55879: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, was found to contain a critical remote code execution vulnerability (CVE-2024-55879). Starting in version 2.3 and prior to versions 15.10.9 and 16.3.0, any user with script rights could perform arbitrary remote code execution by adding instances of XWiki.ConfigurableClass to any page. The vulnerability was discovered and disclosed on December 12, 2024 (GitHub Advisory).

The vulnerability stems from insufficient security controls in the ConfigurableClass functionality. Users with script rights could exploit this by adding an object of type XWiki.ConfigurableClass to any editable page and manipulating the 'Heading' field to execute arbitrary code. The vulnerability has been assigned a CVSS v3.1 score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, but requiring high privileges (GitHub Advisory).

This vulnerability compromises the confidentiality, integrity, and availability of the entire XWiki installation. When successfully exploited, it allows attackers to execute arbitrary code with the potential to access sensitive information, modify system data, or disrupt service availability (GitHub Advisory).

The vulnerability has been patched in XWiki versions 15.10.9 and 16.3.0. No known workarounds are available except upgrading to these patched versions (GitHub Advisory).