CVE-2024-31986

Summary

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an XWiki.SchedulerJobClass XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, apply the patch manually by modifying the Scheduler.WebHome page.

Affected Software

VendorProductVersion RangeStatus
xwikixwiki-platform>= 3.1, < 14.10.19affected
xwikixwiki-platform>= 15.0-rc-1, < 15.5.4affected
xwikixwiki-platform>= 15.6-rc-1, < 15.9affected

Weaknesses

  • CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)
  • CWE-95: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References