CVSS 3.1 Score 6.8 of 10 (medium)


Published Apr 10, 2024
CWE ID 200


CVE-2024-31464 is a vulnerability in XWiki Platform, a generic wiki platform. Versions prior to 14.10.19, 15.5.4, and 15.9-rc-1 are affected. The vulnerability allows an attacker with high privileges to access the hash of a password by using the diff feature of the history after deleting the object storing the password. This can potentially expose user passwords if the attacker has rights to edit user pages. The default right scheme in XWiki prevents this vulnerability on user profiles except for users with Admin rights. However, any extensions that use passwords stored in xobjects may also be impacted depending on the page rights. There is currently no way to confirm if this vulnerability has been exploited, as an attacker with enough privilege could have deleted the revision where the xobject was deleted after rolling back the deletion. The danger lies in potential unauthorized access to sensitive information and compromised user accounts.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-31464 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options