SB2024041093 - Multiple vulnerabilities in XWiki platform
Published: April 10, 2024 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 vulnerabilities.
1) Eval Injection (CVE-ID: CVE-2024-31465)
CWE-ID: CWE-95 - Eval Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWiki.SearchSuggestSourceSheet when rendering a page with a XWiki.SearchSuggestSourceClass object. A remote user can add a crafted XWiki.SearchSuggestSourceClass object to a user profile or another page to execute arbitrary code on the server.
The issue can be triggered by any user with edit right on any page, even without script or programming rights.
2) Eval Injection (CVE-ID: CVE-2024-31982)
CWE-ID: CWE-95 - Eval Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the DatabaseSearch feature when processing search text. A remote attacker can send a specially crafted search query to execute arbitrary code.
The database search is by default accessible to all users, including guests on public wiki instances.
3) Eval Injection (CVE-ID: CVE-2024-31984)
CWE-ID: CWE-95 - Eval Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the Solr-based search UI space facet when rendering search results that include a specially crafted space title. A remote user can create a document with a specially crafted title to execute arbitrary code.
Exploitation requires the ability to edit the title of a space.
4) Missing Authorization (CVE-ID: CVE-2024-31987)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to missing authorization in custom skins support when testing a custom skin with a template override. A remote user can create a custom skin on a page they can edit and define a template override that is executed with programming right to execute arbitrary code.
The issue can be exploited by a user who can edit a page such as their profile, even without edit, script, or admin right.
5) Missing Authorization (CVE-ID: CVE-2024-31983)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to missing authorization in wiki translation editing in multilingual wikis when editing translations. A remote user can modify a translation value to inject script code and execute arbitrary code.
This affects translations that can be edited by users with edit right without the normally required script right for user-scope translations or wiki admin rights for wiki translations.
6) Missing Authorization (CVE-ID: CVE-2024-31981)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to missing authorization in PDF export templates when processing a user-supplied PDF template. A remote user can register a user account with the username PDFClass and define a crafted style property to execute arbitrary code.
Exploitation requires that XWiki.PDFClass does not already exist.
7) Information disclosure (CVE-ID: CVE-2024-31464)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the diff feature of the history when viewing differences after deletion of an xobject holding password data. A remote privileged user can delete the xobject storing a password on a target page and use the diff feature to disclose sensitive information.
This can expose password hashes from user pages or other pages that store passwords in xobjects.
8) Missing Authorization (CVE-ID: CVE-2024-31997)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to missing authorization in UI extension parameters when interpreting UI extension parameters as Velocity code. A remote user can create a UI extension in a document they can edit to execute arbitrary code.
UI extension parameters are executed with programming rights, and a user with edit right on a document such as their own profile can create UI extensions.
9) Cross-site request forgery (CVE-ID: CVE-2024-31988)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to cross-site request forgery in the RTFrontend.ConvertHTML realtime HTML Converter API when handling crafted requests that cause an admin user to visit a crafted URL or view an image with that URL. A remote attacker can send a specially crafted URL to execute arbitrary code.
User interaction is required, and exploitation requires an admin user with programming right to visit the crafted URL or view an image containing that URL.
10) Eval Injection (CVE-ID: CVE-2024-31986)
CWE-ID: CWE-95 - Eval Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the scheduler job document reference handling in the scheduler page when processing a crafted document reference and a scheduler job object. A remote user can create a document with a specially crafted document reference and an XWiki.SchedulerJobClass object to execute arbitrary code on the server.
User interaction is required: an administrator must visit the scheduler page or reference it indirectly, such as through embedded content.
11) Cross-site request forgery (CVE-ID: CVE-2024-31985)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform unauthorized job scheduling actions.
The vulnerability exists due to cross-site request forgery (CSRF) in the job scheduler page when handling crafted requests to schedule, trigger, or unschedule existing jobs. A remote attacker can embed a predictable URL in content to perform unauthorized job scheduling actions.
User interaction is required, and the victim must visit the job scheduler page with administrative rights.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-34fj-r5gq-7395
- https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9
- https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xm4h-3jxr-m3c6
- https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cv55-v6rw-7r5v
- https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xxp2-9c9g-7wmj
- https://github.com/xwiki/xwiki-platform/commit/c4c8d61c30de72298d805ccc82df2a307f131c54
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vxwr-wpjv-qjq7
- https://github.com/xwiki/xwiki-platform/commit/d28e21a670c69880b951e415dd2ddd69d273eae9
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v782-xr4w-3vqx
- https://github.com/xwiki/xwiki-platform/commit/f1eaec1e512220fabd970d053c627e435a1652cf
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c2gg-4gq4-jv5j
- https://github.com/xwiki/xwiki-platform/commit/171e7c7d0e56deaa7b3678657ae26ef95379b1ea
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5vh-gc3r-r24w
- https://github.com/xwiki/xwiki-platform/commit/4896712ee6483da623f131be2e618f1f2b79cb8d
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g
- https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2r6-r929-v6gf