CVE-2024-31985 — MEDIUM (5.4)

Q: How severe is CVE-2024-31985?

CVE-2024-31985 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-31985?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.

Vulnerability Description

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, manually apply the patch by modifying the `Scheduler.WebHome` page.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Xwiki	Xwiki	>= 3.1.1, < 14.10.19

Related Weaknesses (CWE)

CWE-352

References

FAQ

What is CVE-2024-31985?

CVE-2024-31985 is a vulnerability with a CVSS score of 5.4 (MEDIUM). XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin...

How severe is CVE-2024-31985?

CVE-2024-31985 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-31985?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.