Strix
26.1K

CVE-2024-31982

CRITICALCVSS 9.8/10EPSS 34.52%

Last modified

CVE-2024-31982 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. EPSS estimates a 34.52% chance of exploitation in the next 30 days.

Description

XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
34.52%

98.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
XwikiXwiki>= 2.4, < 14.10.20
XwikiXwiki>= 15.0, < 15.5.4
XwikiXwiki>= 15.6, < 15.10

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-31982?
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
How severe is CVE-2024-31982?
CVE-2024-31982 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 34.52% probability of exploitation in the next 30 days.
How do I fix CVE-2024-31982?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-31982?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST