XWiki Platform Vulnerability: Remote Code Execution Exploit
CVE-2024-31983
Summary
A vulnerability exists in the XWiki Platform that affects multilingual wikis, wherein translations can be edited by any user possessing edit rights. This flaw circumvents the permissions that are typically necessary for the authorship of translations, particularly script rights for user-scope translations and administrative rights for wiki-level translations. This vulnerability can potentially allow malicious users to execute arbitrary code if the translation values are not properly escaped. Versions 4.3-milestone-2 and 4.10.0 up to 4.10.19, along with versions 15.5.0 to 15.5.3 and 15.10-rc-1, are impacted. Users are advised to apply the available security patches in versions 14.10.20, 15.5.4, and 15.10RC1, or restrict edit rights on documents containing translations as a precautionary measure.
Affected Version(s)
xwiki-platform >= 4.3-milestone-2, < 14.10.20 < 4.3-milestone-2, 14.10.20
xwiki-platform >= 15.0-rc-1, < 15.5.4 < 15.0-rc-1, 15.5.4
xwiki-platform >= 15.6-rc-1, < 15.10-rc-1 < 15.6-rc-1, 15.10-rc-1
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved