XWiki Platform Vulnerability: Scheduled Jobs Can Be Triggered Remotely
CVE-2024-31985

5.4MEDIUM

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
10 April 2024

Summary

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, manually apply the patch by modifying the Scheduler.WebHome page.

Affected Version(s)

xwiki-platform >= 3.1, < 14.10.19 < 3.1, 14.10.19

xwiki-platform >= 15.0-rc-1, < 15.5.4 < 15.0-rc-1, 15.5.4

xwiki-platform >= 15.6-rc-1, < 15.9 < 15.6-rc-1, 15.9

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef...
x_refsource_MISC
https://github.com/xwiki/xwiki-platform/commit/efd3570f3e...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.