PRP: Request XWiki user registration feature RCE (CVE-2024-21650) #366
Labels
Contributor main
The main issue a contributor is working on (top of the contribution queue).
PRP:Accepted
Hello.
I would like to start implementing a plugin to detect RCE attack through its user registration feature.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-21650
https://jira.xwiki.org/browse/XWIKI-21173
Description:
XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests.
Versions:
Cleanup:
I didn't found account deleting functionality for regular user, but I think I'm able to change "first name" programmatically to something random after registration to remove payload from there.
Thanks.
The text was updated successfully, but these errors were encountered: