Main Vulnerability Database Vulnerabilities #VU129898

Eval Injection in XWiki platform - CVE-2024-31465

Published: April 10, 2024 / Updated: May 5, 2026

Vulnerability identifier: #VU129898

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-31465

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: XWiki

Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on the server.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWiki.SearchSuggestSourceSheet when rendering a page with a XWiki.SearchSuggestSourceClass object. A remote user can add a crafted XWiki.SearchSuggestSourceClass object to a user profile or another page to execute arbitrary code on the server.

The issue can be triggered by any user with edit right on any page, even without script or programming rights.

How to mitigate CVE-2024-31465

Install security update from vendor's website.

Eval Injection in XWiki platform - CVE-2024-31465

Detailed vulnerability description

How to mitigate CVE-2024-31465

Sources

Please verify you're human