CVE-2024-31997

CVSS 3.1 Score 9.9 of 10 (high)

Details

Published Apr 10, 2024
Updated: Apr 11, 2024
CWE ID 862

Summary

CVE-2024-31997 is a critical vulnerability affecting the XWiki Platform before versions 4.10.19, 15.5.4, and 15.10-rc-1. This issue stems from the platform's handling of UI extension parameters, which are always executed as Velocity code with full programming rights. Consequently, any user with edit access to a document, including their own profile, can create UI extensions that lead to remote code execution. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of the entire XWiki installation. The issue has been resolved in XWiki versions 14.10.19, 15.5.4, and 15.9-RC1, and there are currently no known workarounds available to mitigate the risk before applying the patch.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share