CVE-2024-31996

CVSS 3.1 Score 10.0 of 10 (high)

Details

Published Apr 10, 2024
Updated: Apr 11, 2024
CWE ID 95

Summary

CVE-2024-31996 is a vulnerability in XWiki Platform versions 3.0.1 and prior to 4.10.19, 15.5.4, and 15.10-rc-1, which allows for XWiki syntax injection and remote code execution due to HTML escaping not properly handling { characters. The vulnerability has been fixed in XWiki versions 14.10.19, 15.5.5, and 15.9 RC1. Upgrading to the patched versions or replacing $escapetool.html with $escapetool.xml in XWiki documents are the recommended remediation methods. A workaround is available by patching the document Panels.PanelLayoutUpdate, but it is important to note that other extensions may also expose this vulnerability and require patching. The vulnerability is rated as critical with a base score of 10 out of 10 and poses a high risk to organizations, as it can be exploited remotely without requiring any privileges or user interaction, potentially leading to compromise of confidentiality, integrity, and availability of affected systems.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-31996 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options