CVE-2024-31464

Summary

CVE-2024-31464 is a vulnerability in XWiki Platform, a generic wiki platform. Versions prior to 14.10.19, 15.5.4, and 15.9-rc-1 are affected. The vulnerability allows an attacker with high privileges to access the hash of a password by using the diff feature of the history after deleting the object storing the password. This can potentially expose user passwords if the attacker has rights to edit user pages. The default right scheme in XWiki prevents this vulnerability on user profiles except for users with Admin rights. However, any extensions that use passwords stored in xobjects may also be impacted depending on the page rights. There is currently no way to confirm if this vulnerability has been exploited, as an attacker with enough privilege could have deleted the revision where the xobject was deleted after rolling back the deletion. The danger lies in potential unauthorized access to sensitive information and compromised user accounts.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.