目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2025-24893 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
Remote code execution as guest via SolrSearchMacros request in xwiki
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
来源: 美国国家漏洞数据库 NVD
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
动态执行代码中指令转义处理不恰当(Eval注入)
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
XWiki Platform 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞,该漏洞源于任何来宾用户都可以通过对SolrSearch的请求,造成远程代码执行。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
厂商产品影响版本CPE订阅
xwikixwiki-platform >= 5.3-milestone-2, < 15.10.11 -
二、漏洞 CVE-2025-24893 的公开POC
#POC 描述源链接神龙链接
1XWiki Remote Code Execution (CVE-2025-24893) PoC https://github.com/sug4r-wr41th/CVE-2025-24893POC详情
2XWiki SolrSearchMacros 远程代码执行漏洞PoC(CVE-2025-24893)https://github.com/iSee857/CVE-2025-24893-PoCPOC详情
3Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24893.yamlPOC详情
4Nonehttps://github.com/Artemir7/CVE-2025-24893-EXPPOC详情
5Nonehttps://github.com/nopgadget/CVE-2025-24893POC详情
6This is a small script for the rce vulnerability for CVE-2025-24893. It supports basic input/outputhttps://github.com/Kai7788/CVE-2025-24893-RCE-PoCPOC详情
7this is a poc for the CVE-2025-24893https://github.com/AliElKhatteb/CVE-2024-32019-POCPOC详情
8Nonehttps://github.com/dhiaZnaidi/CVE-2025-24893-PoCPOC详情
9Modified exploit for CVE-2025-24893https://github.com/hackersonsteroids/cve-2025-24893POC详情
10PoC exploits CVE-2025-24893 , a remote code execution (RCE) vulnerability in XWiki caused by improper sandboxing in Groovy macros rendered asynchronously. It allows arbitrary command execution through injection into RSS-based SolrSearch endpoints.https://github.com/Infinit3i/CVE-2025-24893POC详情
11PoC for CVE-2025-24893: XWiki' Remote Code Execution exploit for versions prior to 15.10.11, 16.4.1 and 16.5.0RC1.https://github.com/gunzf0x/CVE-2025-24893POC详情
12CVE-2025-24893 is a critical unauthenticated remote code execution vulnerability in XWiki (versions < 15.10.11, 16.4.1, 16.5.0RC1) caused by improper handling of Groovy expressions in the SolrSearch macro.https://github.com/dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POCPOC详情
13PoC | XWiki Platform 15.10.10 - Remote Code Execution https://github.com/zs1n/CVE-2025-24893POC详情
14 Proof-of-Concept exploit for CVE-2025-24893, an unauthenticated Remote Code Execution (RCE) vulnerability in XWiki. Exploits a template injection flaw in the SolrSearch endpoint via Groovy script execution.https://github.com/investigato/cve-2025-24893-pocPOC详情
15PoC for CVE-2025-24893https://github.com/570RMBR3AK3R/xwiki-cve-2025-24893-pocPOC详情
16CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform.https://github.com/IIIeJlyXaKapToIIIKu/CVE-2025-24893-XWiki-unauthenticated-RCE-via-SolrSearchPOC详情
17Bash POC script for RCE vulnerability in XWiki Platformhttps://github.com/mah4nzfr/CVE-2025-24893POC详情
18Nonehttps://github.com/Th3Gl0w/CVE-2025-24893-POCPOC详情
19This vulnerability could allow a malicious user to execute remote code by sending appropriately crafted requests to the default search engine SolrSearchhttps://github.com/Hex00-0x4/CVE-2025-24893-XWiki-RCEPOC详情
20POChttps://github.com/The-Red-Serpent/CVE-2025-24893POC详情
21XWiki 15.10.11, 16.4.1 and 16.5.0RC1 Unauthenticated Remote code execution POChttps://github.com/alaxar/CVE-2025-24893POC详情
22POC exploit for CVE-2025-24893https://github.com/D3Ext/CVE-2025-24893POC详情
23A POC for CVE-2025-24893 written in python https://github.com/Retro023/CVE-2025-24893-POCPOC详情
24PoC exploit for XWiki Remote Code Execution Vulnerability (CVE-2025-24893)https://github.com/CMassa/CVE-2025-24893POC详情
25Some poorly crafted exploit scriptshttps://github.com/x0da6h/POC-for-CVE-2025-24893POC详情
26A critical remote code execution (RCE) vulnerability (CVE‑2025‑24893) exists in the XWiki Platform, specifically in the SolrSearch RSS feed endpoint.https://github.com/ibadovulfat/CVE-2025-24893_HackTheBox-Editor-WriteupPOC详情
27Unauth RCE PoC for XWiki SolrSearch (CVE-2025-24893). Command exec + reverse shell. Built during process of pwning HTB “Editor”https://github.com/torjan0/xwiki_solrsearch-rce-exploitPOC详情
28Reverse Shell Payload for CVE-2025-24893https://github.com/AzureADTrent/CVE-2025-24893-Reverse-ShellPOC详情
29Nonehttps://github.com/b0ySie7e/CVE-2025-24893POC详情
30Nonehttps://github.com/andwati/CVE-2025-24893POC详情
31CVE-2025-24893 RCE exploit for XWiki with reverse shell capabilityhttps://github.com/Bishben/xwiki-15.10.8-reverse-shell-cve-2025-24893POC详情
32Unauthenticated Remote Code Execution in XWiki via SolrSearch Macrohttps://github.com/gotr00t0day/CVE-2025-24893POC详情
33CVE-2025-24893 exploit https://github.com/ibrahmsql/CVE-2025-24893POC详情
34Nonehttps://github.com/Yukik4z3/CVE-2025-24893POC详情
35Nonehttps://github.com/rvizx/CVE-2025-24893POC详情
36Nonehttps://github.com/Y2F05p2w/CVE-2025-24893POC详情
37XWiki Unauthenticated RCE Exploit for Reverse Shellhttps://github.com/80Ottanta80/CVE-2025-24893-PoCPOC详情
38CVE-2025-24893 toolhttps://github.com/kimtangker/CVE-2025-24893POC详情
39CVE-2025-24893https://github.com/B1ack4sh/Blackash-CVE-2025-24893POC详情
40CVE-2025-24893https://github.com/Ashwesker/Blackash-CVE-2025-24893POC详情
41Nonehttps://github.com/0xDTC/XWiki-Platform-RCE-CVE-2025-24893POC详情
42Nonehttps://github.com/o0wo0o/CVE-2025-24893_ShellPOC详情
43CVE-2025-24893 is a critical remote code execution (RCE) vulnerability in XWiki. It allows an unauthenticated attacker to send a crafted request that is improperly evaluated as code, leading to arbitrary code execution on the server and possible full system compromise.https://github.com/WhiteDominion/CVE-2025-24893POC详情
44Proof of Concept for CVE-2025-24893 demonstrating unauthenticated remote command execution in XWiki through unsafe server-side template evaluation.https://github.com/BreakingRohit/CVE-2025-24893-PoCPOC详情
45CVE-2025-24893https://github.com/Ashwesker/Ashwesker-CVE-2025-24893POC详情
46Unauthenticated RCE exploit for XWiki CVE-2025-24893 via Groovy script injectionhttps://github.com/TomKingori/xwiki-cve-2025-24893-exploitPOC详情
47CVE-2025-24893 | Vulnérabilité d'exécution de code à distance sur la plateforme XWiki (preuve de concept)https://github.com/nohack1212/CVE-2025-24893-POC详情
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC
三、漏洞 CVE-2025-24893 的情报信息
Please 登录 to view more intelligence information
IV. Related Vulnerabilities
Same product: xwiki-platform
Same vendor: xwiki
Same weakness: CWE-95
V. Comments for CVE-2025-24893
匿名用户
2026-01-15 06:08:49

Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.

发表评论