CVE-2024-31985 MEDIUM

CVE-2024-31985: XWiki Platform CSRF in the job scheduler

Vendor Xwiki
Product xwiki-platform
Weakness CWE-352 · CSRF
Published April 10, 2024
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, manually apply the patch by modifying the `Scheduler.WebHome` page.

Key dates

02Disclosure timeline

April 10, 2024 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-23974 WordPress Quick Event Manager Plugin <= 9.7.4 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2023-31089 WordPress Video XML Sitemap Generator Plugin <= 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2019-1958 Cisco HyperFlex Software Cross-Site Request Forgery Vulnerability CVE-2025-31391 WordPress Script Compressor plugin <= 1.7.1 - CSRF to Stored XSS vulnerability CVE-2026-30807 Cross-Site Request Forgery on Extension Pages