XWiki Platform Vulnerability: Code Execution via User Profile
CVE-2024-31465

8.8HIGH

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
10 April 2024

Summary

A vulnerability in the XWiki Platform allows any user with edit permissions to perform arbitrary code execution on the server. This occurs when an object of type XWiki.SearchSuggestSourceClass is added to a user profile or any page, leading to severe security implications regarding the confidentiality, integrity, and availability of the XWiki installation. This issue affects versions from 5.0-rc-1 up to 14.10.19, as well as 15.5.0 to 15.5.3 and version 15.9-rc-1. Users are encouraged to upgrade to versions 14.10.20, 15.5.4, or 15.10 RC1, or apply the recommended patch to the XWiki.SearchSuggestSourceSheet document to mitigate this vulnerability.

Affected Version(s)

xwiki-platform >= 5.2-milestone-2, < 14.10.20 < 5.2-milestone-2, 14.10.20

xwiki-platform >= 15.0-rc-1, < 15.5.4 < 15.0-rc-1, 15.5.4

xwiki-platform >= 15.6-rc-1, < 15.10-rc-1 < 15.6-rc-1, 15.10-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/0317a3aa78...
x_refsource_MISC
https://github.com/xwiki/xwiki-platform/commit/2740974c32...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.