POC详情: 14ec1fe3a27b9a57d146414ff490c194bedb8b90

来源
https://github.com/ibadovulfat/CVE-2025-24893_HackTheBox-Editor-Writeup
关联漏洞
标题: XWiki Platform 安全漏洞 (CVE-2025-24893)
描述:XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞,该漏洞源于任何来宾用户都可以通过对SolrSearch的请求,造成远程代码执行。
描述
A critical remote code execution (RCE) vulnerability (CVE‑2025‑24893) exists in the XWiki Platform, specifically in the SolrSearch RSS feed endpoint.
介绍
# CVE-2025-24893 – XWiki Remote Code Execution (RCE)

## Overview
**CVE-2025-24893** is a **critical unauthenticated Remote Code Execution (RCE)** vulnerability in **XWiki**, a widely used open-source enterprise wiki platform.  
The flaw exists in the `SolrSearch` macro, which improperly evaluates Groovy expressions embedded in search queries.  

This vulnerability allows **remote, unauthenticated attackers** to execute arbitrary Groovy code on the server, potentially gaining full control of the affected system.

---

## Vulnerability Details

- **CVE ID:** CVE-2025-24893  
- **Severity:** Critical  
- **CVSS v3.1 Score:** 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)  
- **EPSS Score:** 92.01% (Very high likelihood of exploitation)  
- **Published:** February 20, 2025  

---

## Affected Versions
- All versions **prior to**:
  - `15.10.11`
  - `16.4.1`
  - `16.5.0RC1`

## Patched Versions
- `15.10.11`  
- `16.4.1`  
- `16.5.0RC1`

## 👨‍💻 About Me

I'm Ulfat Ibadov, a penetration tester and cybersecurity mentor currently working with **EC-Council**. My main focus is on offensive security, including red teaming, vulnerability research, and real-world exploitation techniques.

I’ve completed multiple certifications, including:
- Certified Ethical Hacker (CEH & CEH Practical)
- Web Application Hacking and Security (W|AHS)
- Certified Cybersecurity Technician (C|CT)
- Certified Penetration Testing Specialist (CPTS – HTB Academy)
- - Certified Penetration Testing Specialist (**BBH – HTB Academy**)

I’m also an active bug bounty hunter and top-ranked participant on platforms like **TryHackMe** and **Hack The Box**, where I currently rank in the top 1%.

I'm passionate about helping others learn ethical hacking through hands-on labs and mentoring.

## 📎 Connect with Me 
- [LinkedIn](https://www.linkedin.com/in/ibadovulfat/)
- [Portfolio](https://about.surf)
文件快照

 [4.0K]  /data/pocs/14ec1fe3a27b9a57d146414ff490c194bedb8b90
├── [3.2K]  CVE-2025-24893.py
├── [1.0K]  LICENSE
└── [1.9K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。