CVE-2024-31986 — CRITICAL (9.0)

Q: How severe is CVE-2024-31986?

CVE-2024-31986 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2024-31986?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.

Vulnerability Description

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, apply the patch manually by modifying the `Scheduler.WebHome` page.

CVSS Score

9.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xwiki	Xwiki	>= 3.1.1, < 14.10.19

Related Weaknesses (CWE)

CWE-95 CWE-352

References

FAQ

What is CVE-2024-31986?

CVE-2024-31986 is a vulnerability with a CVSS score of 9.0 (CRITICAL). XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWi...

How severe is CVE-2024-31986?

CVE-2024-31986 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2024-31986?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.