CVE-2024-31996

Exploit

EPSS 2.1%
Veröffentlicht 10.04.2024 21:15:07
Zuletzt bearbeitet 09.01.2025 18:50:19
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution

XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. In a standard XWiki installation, the maintainers are only aware of the document `Panels.PanelLayoutUpdate` that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 9

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 3.0.1 < 14.10.19

Xwiki ≫ Xwiki Version >= 15.0 < 15.5.4

Xwiki ≫ Xwiki Version >= 15.6 < 15.9

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.1%	0.793

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa

Patch

https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a

Patch

https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915

Patch

https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5

Vendor Advisory

https://jira.xwiki.org/browse/XCOMMONS-2828

Vendor Advisory

Exploit

https://jira.xwiki.org/browse/XWIKI-21438

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-31996

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-31996

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-31996

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-31996