CVE-2024-31996
CVSS 3.1 Score 10.0 of 10 (high)
Details
Summary
CVE-2024-31996 is a vulnerability in XWiki Platform versions 3.0.1 and prior to 4.10.19, 15.5.4, and 15.10-rc-1, which allows for XWiki syntax injection and remote code execution due to HTML escaping not properly handling `{` characters. The vulnerability has been fixed in XWiki versions 14.10.19, 15.5.5, and 15.9 RC1. Upgrading to the patched versions or replacing `$escapetool.html` with `$escapetool.xml` in XWiki documents are the recommended remediation methods. A workaround is available by patching the document `Panels.PanelLayoutUpdate`, but it is important to note that other extensions may also expose this vulnerability and require patching. The vulnerability is rated as critical with a base score of 10 out of 10 and poses a high risk to organizations, as it can be exploited remotely without requiring any privileges or user interaction, potentially leading to compromise of confidentiality, integrity, and availability of affected systems.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions