CVE-2024-31997
CVSS 3.1 Score 9.9 of 10 (high)
Details
Summary
CVE-2024-31997 is a critical vulnerability affecting the XWiki Platform before versions 4.10.19, 15.5.4, and 15.10-rc-1. This issue stems from the platform's handling of UI extension parameters, which are always executed as Velocity code with full programming rights. Consequently, any user with edit access to a document, including their own profile, can create UI extensions that lead to remote code execution. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of the entire XWiki installation. The issue has been resolved in XWiki versions 14.10.19, 15.5.4, and 15.9-RC1, and there are currently no known workarounds available to mitigate the risk before applying the patch.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.