CVE-2024-31997

XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's own profile can create UI extensions. This allows remote code execution and thereby impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9-RC1. No known workarounds are available.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/171e7c7d0e56deaa7b3678657ae26ef95379b1ea
https://github.com/xwiki/xwiki-platform/commit/1b2574eb966457ca4ef34e557376b8751d1be90d
https://github.com/xwiki/xwiki-platform/commit/56748e154a9011f0d6239bec0823eaaeab6ec3f7
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c2gg-4gq4-jv5j
https://jira.xwiki.org/browse/XWIKI-21335

Configurations

No configuration.

History

10 Apr 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-10 22:15

Updated : 2024-04-11 12:47

NVD link : CVE-2024-31997

Mitre link : CVE-2024-31997

CVE.ORG link : CVE-2024-31997

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

9.9 /10