CVE-2024-31988

Severity CVSS v4.0:

Pending analysis

Type:

CWE-352 Cross-Site Request Forgery (CSRF)

Publication date:

10/04/2024

Last modified:

09/01/2025

Description

XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the attacker can get the admin to execute arbitrary XWiki syntax including scripting macros with Groovy or Python code. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9. As a workaround, one may update `RTFrontend.ConvertHTML` manually with the patch. This will, however, break some synchronization processes in the realtime editor, so upgrading should be the preferred way on installations where this editor is used.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 9.60 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

9.60

Severity 3.x

CRITICAL

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:xwiki:xwiki::::::::	13.9 (including)	14.10.19 (excluding)
cpe:2.3:a:xwiki:xwiki::::::::	15.0 (including)	15.5.4 (excluding)
cpe:2.3:a:xwiki:xwiki::::::::	15.6 (including)	15.9 (excluding)

To consult the complete list of CPE names with products and versions, see this page

CVE-2024-31988

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools