Cyber Resilience

CVE-2024-31983

CriticalPublic PoC

Published: 10 April 2024

Published
10 April 2024
Modified
21 January 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2330 96.1th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31983 is a critical-severity Missing Authorization (CWE-862) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform, a generic wiki platform, contains an authorization flaw in its handling of translations within multilingual wikis. Any user granted only edit rights can modify translation strings that should be restricted to script-right holders for user-scope entries or wiki administrators for wiki-scope entries. The issue affects releases from 4.3-milestone-2 through 14.10.19, 15.5.3, and 15.9 and stems from missing enforcement of the higher privileges normally required to author translations; when an unescaped translation value is later rendered, the flaw can be chained to remote code execution.

An attacker with edit access on a multilingual wiki can therefore supply a malicious translation string that executes arbitrary code in the context of the XWiki application, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 9.9 score and CWE-862 classification.

Official patches are available in XWiki 14.10.20, 15.5.4, and 15.10RC1; the project advisory and linked commits detail the authorization checks restored in the translation editing path. As an interim measure, administrators can restrict edit rights on documents that store translations.

The EPSS score rose from lower values after disclosure to a peak of 0.3626 on 2025-12-11 before receding to the current 0.2330, indicating a period of increased exploitation interest that has since declined.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations…

more

on the wiki). Starting in version 4.3-milestone-2 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, this can be exploited for remote code execution if the translation value is not properly escaped where it is used. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may restrict edit rights on documents that contain translations.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
4.3 · 4.3.1 — 14.10.20 · 15.0 — 15.5.4 · 15.6 — 15.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-862

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

addresses: CWE-862

Reviews of access controls detect missing authorization checks on critical functions or resources.

addresses: CWE-862

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

addresses: CWE-862

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

addresses: CWE-862

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

addresses: CWE-862

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

addresses: CWE-862

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

addresses: CWE-862

Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.

References