CVE-2024-31983
Published: 10 April 2024
Summary
CVE-2024-31983 is a critical-severity Missing Authorization (CWE-862) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform, a generic wiki platform, contains an authorization flaw in its handling of translations within multilingual wikis. Any user granted only edit rights can modify translation strings that should be restricted to script-right holders for user-scope entries or wiki administrators for wiki-scope entries. The issue affects releases from 4.3-milestone-2 through 14.10.19, 15.5.3, and 15.9 and stems from missing enforcement of the higher privileges normally required to author translations; when an unescaped translation value is later rendered, the flaw can be chained to remote code execution.
An attacker with edit access on a multilingual wiki can therefore supply a malicious translation string that executes arbitrary code in the context of the XWiki application, resulting in full compromise of confidentiality, integrity, and availability as reflected in the CVSS 9.9 score and CWE-862 classification.
Official patches are available in XWiki 14.10.20, 15.5.4, and 15.10RC1; the project advisory and linked commits detail the authorization checks restored in the translation editing path. As an interim measure, administrators can restrict edit rights on documents that store translations.
The EPSS score rose from lower values after disclosure to a peak of 0.3626 on 2025-12-11 before receding to the current 0.2330, indicating a period of increased exploitation interest that has since declined.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1341
Vulnerability details
XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations…
more
on the wiki). Starting in version 4.3-milestone-2 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, this can be exploited for remote code execution if the translation value is not properly escaped where it is used. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may restrict edit rights on documents that contain translations.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.