SCA: security update for org.xwiki.platform:xwiki-platform-distribution-war (GHSA-wh34-m772-5398)

high Tenable Cloud Security Plugin ID 419930

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions
13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an
unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used
database backend, the attacker may be able to not only obtain confidential information such as password
hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5
and 14.3-rc-1. There is no known workaround, other than upgrading XWiki. (CVE-2024-55663)

See Also

https://github.com/advisories/GHSA-wh34-m772-5398

Plugin Details

Severity: High

ID: 419930

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.43

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-55663

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 6.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/12/2024

Vulnerability Publication Date: 12/12/2024

Reference Information

CVE: CVE-2024-55663

cwe: CWE-116