Detections
Analytics
XWiki User Registration Remote Code Execution
critical Web App Scanning Plugin ID 114913
Synopsis
XWiki User Registration Remote Code ExecutionDescription
XWiki Platform versions from 2.2 before 14.10.17, from 15.0-rc-1 before 15.5.3, and from 15.6-rc-1 before 15.8-rc-1 suffer from a Server-Side Template Injection (SSTI) due to the lack of sanitization of the user registration form's inputs. By leveraging this vulnerability, a remote and unauthenticated attacker can achieve privilege escalation and achieve code execution on the vulnerable XWiki instance.Solution
Upgrade XWiki to version 14.10.17, 15.5.3, 15.8-rc-1 or later.See Also
Plugin Details
Severity: Critical
ID: 114913
Type: remote
Family: Component Vulnerability
Published: 7/18/2025
Updated: 7/18/2025
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2024-21650
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2024-21650
Vulnerability Information
CPE: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 1/8/2024
Vulnerability Publication Date: 1/7/2024
Reference Information
CVE: CVE-2024-21650
OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6
WASC: Improper Input Handling, OS Commanding
CAPEC: 10, 101, 108, 120, 13, 135, 14, 24, 242, 250, 267, 273, 28, 3, 34, 35, 42, 43, 45, 46, 47, 51, 52, 53, 6, 64, 67, 7, 71, 72, 76, 77, 78, 79, 8, 80, 83, 84, 9
DISA STIG: APSC-DV-002510, APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5