Remote Code Execution Vulnerability in XWiki Platform
CVE-2024-31987

10CRITICAL

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
10 April 2024

Summary

The XWiki Platform, a widely used generic wiki platform developed by XWiki SAS, is prone to a security vulnerability where a user with editing privileges can craft a custom skin with a template override. This action results in code executed under programming rights, creating a pathway for unauthorized remote code execution. The affected versions include those prior to 14.10.19, 15.5.4, and 15.10-rc-1. XWiki SAS has provided patches in these later releases to mitigate the issue, with no effective workarounds available except for an immediate upgrade.

Affected Version(s)

xwiki-platform >= 6.4-milestone-1, < 14.10.19 < 6.4-milestone-1, 14.10.19

xwiki-platform >= 15.0-rc-1, < 15.5.4 < 15.0-rc-1, 15.5.4

xwiki-platform >= 15.6-rc-1, < 15.10-rc-1 < 15.6-rc-1, 15.10-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f5...
x_refsource_MISC
https://github.com/xwiki/xwiki-platform/commit/626d2a5dbf...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.