CVE-2024-31987 CRITICAL

CVE-2024-31987: XWiki Platform remote code execution from account via custom skins support

Vendor Xwiki
Product xwiki-platform
Weakness CWE-862 · Missing authorization
Published April 10, 2024
Last update August 20, 2024

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. No known workarounds are available except for upgrading.

Key dates

02Disclosure timeline

April 10, 2024 CVE published
August 20, 2024 Record updated