CVE-2024-31996

Summary

CVE-2024-31996 is a vulnerability in XWiki Platform versions 3.0.1 and prior to 4.10.19, 15.5.4, and 15.10-rc-1, which allows for XWiki syntax injection and remote code execution due to HTML escaping not properly handling `{` characters. The vulnerability has been fixed in XWiki versions 14.10.19, 15.5.5, and 15.9 RC1. Upgrading to the patched versions or replacing `$escapetool.html` with `$escapetool.xml` in XWiki documents are the recommended remediation methods. A workaround is available by patching the document `Panels.PanelLayoutUpdate`, but it is important to note that other extensions may also expose this vulnerability and require patching. The vulnerability is rated as critical with a base score of 10 out of 10 and poses a high risk to organizations, as it can be exploited remotely without requiring any privileges or user interaction, potentially leading to compromise of confidentiality, integrity, and availability of affected systems.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.