CVE-2024-31986 CRITICAL

CVE-2024-31986: XWiki Platform CSRF remote code execution through scheduler job's document reference

Vendor Xwiki

Product xwiki-platform

Weakness CWE-352 · CSRF

Published April 10, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, apply the patch manually by modifying the `Scheduler.WebHome` page.

Key dates

02Disclosure timeline

April 10, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-31986 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

Related vulnerabilities

Identifiers

CVE CVE-2024-31986

CWE CWE-352

CVSS 9.1 / CRITICAL

Affected versions

Vendor Xwiki

Product xwiki-platform

Affected >= 3.1, < 14.10.19

Vendor Xwiki

Product xwiki-platform

Affected >= 15.0-rc-1, < 15.5.4

Vendor Xwiki

Product xwiki-platform

Affected >= 15.6-rc-1, < 15.9

CVE-2024-31986: XWiki Platform CSRF remote code execution through scheduler job's document reference

01Description

02Disclosure timeline

03References

04Related CVE