Remote Code Execution Vulnerability in XWiki Platform
CVE-2024-31981

10CRITICAL

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
10 April 2024

Summary

The XWiki Platform is a widely used generic wiki software that has a vulnerability allowing remote code execution through vulnerable PDF export templates. This issue affects versions starting from 3.0.1 up to and including versions 4.10.19, 15.5.0, 15.5.3, and 15.10-rc-1. To mitigate this vulnerability, users are urged to upgrade to the patched versions—specifically 14.10.20, 15.5.4, or 15.10-rc-1. In scenarios where PDF templates are not utilized, administrators can create a document named XWiki.PDFClass, block its editing, and ensure the absence of a style attribute as an additional precaution. However, this workaround is not recommended as the primary solution is to upgrade to secure versions.

Affected Version(s)

xwiki-platform >= 3.0.1, < 14.10.20 < 3.0.1, 14.10.20

xwiki-platform >= 15.0-rc-1, < 15.5.4 < 15.0-rc-1, 15.5.4

xwiki-platform >= 15.6-rc-1, < 15.10-rc-1 < 15.6-rc-1, 15.10-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/480186f9d2...
x_refsource_MISC
https://github.com/xwiki/xwiki-platform/commit/a4ad14d9c1...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.