XWiki Vulnerability Allows Remote Code Execution
CVE-2024-31984
Summary
A vulnerability in XWiki Platform allows for remote code execution due to improperly managed document titles. Through this oversight, an attacker can craft a title to exploit the Solr-based search functionality, enabling arbitrary Groovy code execution. This issue affects all users with the ability to modify space titles, risking the confidentiality, integrity, and availability of XWiki installations. It has been resolved in updates 14.10.20, 15.5.4, and 15.10 RC1, with recommendations for immediate application of patches to ensure system security.
Affected Version(s)
xwiki-platform >= 7.2-rc-1, < 14.10.20 < 7.2-rc-1, 14.10.20
xwiki-platform >= 15.0-rc-1, < 15.5.4 < 15.0-rc-1, 15.5.4
xwiki-platform >= 15.6-rc-1, < 15.10-rc-1 < 15.6-rc-1, 15.10-rc-1
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved