Cross-site request forgery in XWiki platform - CVE-2024-31988
Published: April 10, 2024 / Updated: May 5, 2026
Vulnerability identifier: #VU129906
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2024-31988
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to cross-site request forgery in the RTFrontend.ConvertHTML realtime HTML Converter API when handling crafted requests that cause an admin user to visit a crafted URL or view an image with that URL. A remote attacker can send a specially crafted URL to execute arbitrary code.
User interaction is required, and exploitation requires an admin user with programming right to visit the crafted URL or view an image containing that URL.
How to mitigate CVE-2024-31988
Install security update from vendor's website.