9.9

CVE-2024-31987

Exploit

EPSS 33.68%
Published 10.04.2024 21:15:07
Last modified 21.01.2025 15:35:42
Source security-advisories@github.com
Teams watchlist Login
Open Login

XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. No known workarounds are available except for upgrading.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 6.4 < 14.10.19

Xwiki ≫ Xwiki Version >= 15.0 < 15.5.4

Xwiki ≫ Xwiki Version >= 15.6 < 15.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	33.68%	0.968

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39

Patch

https://github.com/xwiki/xwiki-platform/commit/626d2a5dbf95b4e719ae13bf1a0a9c76e4edd5a2

Patch

https://github.com/xwiki/xwiki-platform/commit/da177c3c972e797d92c1a31e278f946012c41b56

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cv55-v6rw-7r5v

Vendor Advisory

Exploit

https://jira.xwiki.org/browse/XWIKI-21478

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-31987

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-31987

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-31987

EUVD