CVE-2024-31986
Published: 10 April 2024
Summary
CVE-2024-31986 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 7.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform contains a remote code execution vulnerability affecting versions from 3.1 up to but not including 14.10.19, 15.5.4, and 15.10-rc-1. The flaw stems from insufficient validation of document references combined with XWiki.SchedulerJobClass objects, allowing crafted content to trigger arbitrary server-side code execution when the scheduler page is loaded or referenced.
An attacker with the ability to create documents in the wiki can exploit the issue. When an administrator subsequently visits the scheduler page or the malicious reference is rendered (for example through an embedded image in a comment), the attacker’s code runs with the privileges of the XWiki process, achieving full compromise of the server. The attack combines elements of improper neutralization of directives (CWE-95) and cross-site request forgery (CWE-352) and carries a CVSS 3.1 score of 9.0.
Public advisories and patches indicate the issue was resolved in XWiki 14.10.19, 15.5.5, and 15.9. The recommended workaround is to apply the provided patch directly to the Scheduler.WebHome page; the fixes are documented in the associated GitHub commits and the XWiki Jira ticket XWIKI-21416.
EPSS scores have remained low, reaching a peak of 0.1081 before receding to the current value of 0.0790, with no reported real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1076
Vulnerability details
XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code…
more
on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, apply the patch manually by modifying the `Scheduler.WebHome` page.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.