XWiki Platform Vulnerability Allows Arbitrary Remote Code Execution
CVE-2024-31988

8.8HIGH

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
10 April 2024

Summary

The XWiki Platform contains a vulnerability allowing for arbitrary remote code execution when the realtime editor is enabled. This issue arises when an admin user interacts with a specially crafted URL or image, enabling attackers to execute unauthorized XWiki syntax, including Groovy or Python scripts. This leads to potential compromises in the confidentiality, integrity, and availability of the entire XWiki installation. Versions prior to 14.10.19, 15.5.4, and 15.9 are impacted. Users are advised to upgrade to the patched versions or manually apply a specific code patch to mitigate the risks, although the latter may result in synchronization issues within the realtime editor.

Affected Version(s)

xwiki-platform >= 13.9-rc-1, < 14.10.19 < 13.9-rc-1, 14.10.19

xwiki-platform >= 15.0-rc-1, < 15.5.4 < 15.0-rc-1, 15.5.4

xwiki-platform >= 15.6-rc-1, < 15.9 < 15.6-rc-1, 15.9

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/4896712ee6...
x_refsource_MISC
https://github.com/xwiki/xwiki-platform/commit/9f8cc88497...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.