Eval Injection in XWiki platform - CVE-2024-31986
Published: April 10, 2024 / Updated: May 5, 2026
Vulnerability identifier: #VU129907
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-31986
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the scheduler job document reference handling in the scheduler page when processing a crafted document reference and a scheduler job object. A remote user can create a document with a specially crafted document reference and an XWiki.SchedulerJobClass object to execute arbitrary code on the server.
User interaction is required: an administrator must visit the scheduler page or reference it indirectly, such as through embedded content.
How to mitigate CVE-2024-31986
Install security update from vendor's website.