CVE-2024-55663 Overview
CVE-2024-55663 is an HQL injection vulnerability in XWiki Platform, an open-source generic wiki platform. The flaw resides in getdocument.vm, where the ordering of returned documents is derived from the unsanitized request.sort parameter. Any authenticated user can inject Hibernate Query Language (HQL) statements through this parameter. Depending on the underlying database backend, attackers can extract confidential data such as password hashes and may also execute UPDATE, INSERT, or DELETE queries. The vulnerability affects XWiki versions from 6.3-milestone-2 up to but not including 13.10.5 and 14.3-rc-1.
Critical Impact
Authenticated attackers can inject HQL queries to exfiltrate credentials and modify database records across affected XWiki deployments.
Affected Products
- XWiki Platform versions 6.3-milestone-2 through 13.10.4
- XWiki Platform 14.x versions prior to 14.3-rc-1
- Deployments using getdocument.vm with database backends supporting HQL
Discovery Timeline
- 2024-12-12 - CVE-2024-55663 published to NVD
- 2025-01-10 - Last updated in NVD database
Technical Details for CVE-2024-55663
Vulnerability Analysis
The vulnerability is classified under [CWE-116] Improper Encoding or Escaping of Output. The getdocument.vm template in XWiki Platform constructs HQL queries that include user-controlled input from the request.sort parameter. XWiki passes this parameter directly into the ORDER BY clause of an HQL query without sanitization or parameterization. Attackers append arbitrary HQL fragments to manipulate query execution.
The impact varies by database backend. On backends that support stacked or compound queries, attackers can chain UPDATE, INSERT, or DELETE statements after the initial ORDER BY. On all backends, attackers can use subqueries, conditional expressions, or UNION-style constructs reachable through HQL to extract sensitive fields, including password hashes stored in the XWiki user tables.
Root Cause
The root cause is the direct concatenation of an unsanitized HTTP request parameter into an HQL query string. The request.sort parameter is used to define document ordering but lacks both an allow-list of valid sort columns and proper parameter binding. HQL injection mirrors SQL injection but operates at the Hibernate object-relational mapping layer, which allows attackers to traverse entity relationships defined in XWiki's data model.
Attack Vector
The attack is delivered over the network through standard HTTP requests. An authenticated user with low-privilege access to any page invoking getdocument.vm crafts a request that includes a malicious sort parameter. The injected HQL is executed in the application's database context, granting the attacker the same privileges as the XWiki database user. No user interaction beyond the attacker's own request is required.
The vulnerability mechanism is described in the XWiki Security Advisory GHSA-wh34-m772-5398. The corresponding source fix is available in XWiki commit 673076e.
Detection Methods for CVE-2024-55663
Indicators of Compromise
- HTTP requests to XWiki endpoints containing sort parameters with HQL keywords such as select, from, where, union, update, insert, or delete
- Unusual ORDER BY clauses appearing in database query logs originating from XWiki sessions
- Unexpected reads from the XWikiUsers table or fields containing password hashes
- Anomalous UPDATE, INSERT, or DELETE operations executed by the XWiki application database account
Detection Strategies
- Inspect web access logs for requests containing suspicious values in the sort query parameter on URLs that load getdocument.vm
- Enable Hibernate SQL logging to identify malformed ORDER BY clauses or stacked statements
- Correlate authenticated XWiki session activity with database query volume spikes from the application service account
Monitoring Recommendations
- Forward XWiki application logs and database audit logs to a centralized analytics platform for query-pattern analysis
- Alert on any database query from the XWiki service account that modifies authentication tables or user credentials
- Track the XWiki version banner across all instances to identify hosts running versions prior to 13.10.5 or 14.3-rc-1
How to Mitigate CVE-2024-55663
Immediate Actions Required
- Upgrade XWiki Platform to version 13.10.5, 14.3-rc-1, or later as soon as possible
- Rotate all XWiki user passwords and any application secrets that may have been stored in the database after confirming the patch is applied
- Review database audit logs for evidence of HQL injection attempts since the vulnerable code was introduced in 6.3-milestone-2
- Restrict the XWiki database account privileges to the minimum required for normal operation
Patch Information
The vulnerability is fixed in XWiki Platform 13.10.5 and 14.3-rc-1. The patch sanitizes the request.sort parameter before it is used in HQL query construction. Review the source change in XWiki commit 673076e and the issue tracker entry XWIKI-17568 for full remediation context.
Workarounds
- No vendor-supplied workaround exists; upgrading XWiki is the only supported remediation per the GitHub Security Advisory
- As a temporary compensating control, deploy a web application firewall rule that blocks requests where the sort parameter contains HQL keywords or non-alphanumeric characters
- Restrict access to authenticated XWiki endpoints to trusted networks until the patch is deployed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
