Home XWiki CVE-2024-37899
Back to XWiki

CVE-2024-37899

XWiki Platform - User Profile Service

XWiki CVSS 9 Updated April 6, 2026

Executive Risk Summary

"A vulnerability in XWiki Platform allows a user to execute malicious code with admin rights when their account is disabled. This is possible by adding malicious code to the user profile before an admin disables the account, which can lead to unauthorized access and data breaches."

Anticipated Attack Path

  1. 1. Attacker adds malicious Groovy code to their user profile
  2. 2. Admin disables the attacker's account, executing the malicious code with admin rights
  3. 3. Attacker gains unauthorized access to the system

Am I Vulnerable?

  • Verify XWiki Platform version is 14.10.21, 15.5.5, 15.10.6, or 16.0.0
  • Check for suspicious activity in system logs
  • Monitor user account disablement for potential malicious code execution

Operational Audit Arsenal

Target Type Java-based web application
Target Asset xwiki-platform
Standard Path https://github.com/xwiki/xwiki-platform

Manual Verification Required

This is a non-Windows asset (XWiki). Use the target asset details and official path provided above to verify your current version against the official vendor advisories listed below.

Patch Impact Forecast

Reboot Required Unlikely

Minimal, requires XWiki Platform upgrade

Internal Work Notes

XWiki Platform vulnerability allows malicious code execution with admin rights when user account is disabled, requiring immediate upgrade to patched version

Technical Intelligence & Operational Utilities • Delivered Weekly

Intelligence Sources

Official Advisoryhttps://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
Official Advisoryhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
Official Advisoryhttps://jira.xwiki.org/browse/XWIKI-21611
Official Advisoryhttps://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a
Official Advisoryhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93
Official Advisoryhttps://jira.xwiki.org/browse/XWIKI-21611
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.