Cyber Resilience

CVE-2024-31988

CriticalPublic PoC

Published: 10 April 2024

Published
10 April 2024
Modified
09 January 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0690 91.6th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31988 is a critical-severity CSRF (CWE-352) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform versions from 13.9-rc-1 through 14.10.18, 15.5.3, and 15.9 contain a vulnerability in the realtime editor component that permits arbitrary remote code execution. The flaw stems from insufficient protection of the RTFrontend.ConvertHTML endpoint, allowing crafted XWiki syntax containing Groovy or Python macros to be executed when processed by an administrator account that possesses programming rights. The issue is tracked as CWE-352 and carries a CVSS 3.1 score of 9.6.

An unauthenticated attacker can exploit the weakness by inducing an administrator to visit a maliciously constructed URL or to load an image whose source attribute points to that URL, for example by embedding it in a comment or wiki page. Successful interaction causes the server to interpret and run attacker-supplied scripting macros, resulting in full compromise of the confidentiality, integrity, and availability of the XWiki installation.

Official patches released in XWiki 14.10.19, 15.5.4, and 15.9 address the endpoint; the project advisory also notes a manual workaround that updates RTFrontend.ConvertHTML at the cost of breaking certain realtime synchronization features. The associated EPSS score rose from a low baseline to a peak of 0.1084 on 2025-12-11 before receding to its current value of 0.0690, indicating a measurable increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user…

more

with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the attacker can get the admin to execute arbitrary XWiki syntax including scripting macros with Groovy or Python code. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9. As a workaround, one may update `RTFrontend.ConvertHTML` manually with the patch. This will, however, break some synchronization processes in the realtime editor, so upgrading should be the preferred way on installations where this editor is used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
13.9 — 14.10.19 · 15.0 — 15.5.4 · 15.6 — 15.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

addresses: CWE-352

Detects anomalous request patterns consistent with cross-site request forgery.

References