CVE-2024-31988
Published: 10 April 2024
Summary
CVE-2024-31988 is a critical-severity CSRF (CWE-352) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform versions from 13.9-rc-1 through 14.10.18, 15.5.3, and 15.9 contain a vulnerability in the realtime editor component that permits arbitrary remote code execution. The flaw stems from insufficient protection of the RTFrontend.ConvertHTML endpoint, allowing crafted XWiki syntax containing Groovy or Python macros to be executed when processed by an administrator account that possesses programming rights. The issue is tracked as CWE-352 and carries a CVSS 3.1 score of 9.6.
An unauthenticated attacker can exploit the weakness by inducing an administrator to visit a maliciously constructed URL or to load an image whose source attribute points to that URL, for example by embedding it in a comment or wiki page. Successful interaction causes the server to interpret and run attacker-supplied scripting macros, resulting in full compromise of the confidentiality, integrity, and availability of the XWiki installation.
Official patches released in XWiki 14.10.19, 15.5.4, and 15.9 address the endpoint; the project advisory also notes a manual workaround that updates RTFrontend.ConvertHTML at the cost of breaking certain realtime synchronization features. The associated EPSS score rose from a low baseline to a peak of 0.1084 on 2025-12-11 before receding to its current value of 0.0690, indicating a measurable increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-1290
Vulnerability details
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user…
more
with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the attacker can get the admin to execute arbitrary XWiki syntax including scripting macros with Groovy or Python code. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9. As a workaround, one may update `RTFrontend.ConvertHTML` manually with the patch. This will, however, break some synchronization processes in the realtime editor, so upgrading should be the preferred way on installations where this editor is used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.