How severe is CVE-2024-37900?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.6 out of 10.

What type of vulnerability is CVE-2024-37900?

This is classified as CWE-96, which is a common weakness in software security.

CVE-2024-37900

MEDIUM Year: 2024

CVSS v3 Score

4.6

Medium

Weakness Type

CWE-96

View all →

Vulnerability Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

CVE-2024-43400

MEDIUM

CVSS:5.4(Medium)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a pag...

CWE-962024

CVE-2024-0788

MEDIUM

CVSS:5.5(Medium)

SUPERAntiSpyware Pro X v10.0.1260 is vulnerable to kernel-level API parameters manipulation and Denial of Service vulnerabilities by triggering the 0x9C402140 IOCTL code of the saskutil64.sys driver.

CWE-962024

CVE-2024-13263

MEDIUM

CVSS:5.5(Medium)

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno group manager allows PHP Local File Inclusion.This issue affects Opigno group ma...

CWE-962024

CVE-2022-3960

MEDIUM

CVSS:6.3(Medium)

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboar...

CWE-962022

CVE-2020-6143

CRITICAL

CVSS:10.0(Critical)

A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code int...

CWE-962020

CVE-2020-6144

CRITICAL

CVSS:10.0(Critical)

A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The username variable which is set at line 121 in install/Step5.php allows for injection of PHP code int...

CWE-962020

CVE-2024-37900

Vulnerability Description

Related Vulnerabilities

CVE-2024-43400

CVE-2024-0788

CVE-2024-13263

CVE-2022-3960

CVE-2020-6143

CVE-2020-6144