Remote Code Execution Vulnerability in XWiki Platform
CVE-2024-31982

10CRITICAL

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 10 April 2024

Badges

👾 Exploit Exists🟡 Public PoC📰 News Worthy

Summary

The CVE-2024-31982 vulnerability is a remote code execution vulnerability in the XWiki Platform that allows for remote code execution through the database search feature. This can be accessed by any visitor of a public wiki or closed wiki, impacting the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability has been patched in versions 14.10.20, 15.5.4, and 15.10RC1 of XWiki. It is recommended to apply the patch manually or delete the page "Main.DatabaseSearch" if database search is not explicitly used by users.

Affected Version(s)

xwiki-platform >= 2.4-milestone-1, < 14.10.20 < 2.4-milestone-1, 14.10.20

xwiki-platform >= 15.0-rc-1, < 15.5.4 < 15.0-rc-1, 15.5.4

xwiki-platform >= 15.6-rc-1, < 15.10-rc-1 < 15.6-rc-1, 15.10-rc-1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-31982
Created by bigb0x