Description

XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the `Main.SolrSpaceFacet` page.

Remediation

References

CVE-2024-31984

Related Vulnerabilities

WordPress 6.2.x Multiple Vulnerabilities (6.2 - 6.2.3)

Nginx Resource Management Errors Vulnerability (CVE-2016-0747)

WordPress Plugin MC4WP:Mailchimp for WordPress Cross-Site Request Forgery (4.8.4)

WordPress Plugin LearnPress-WordPress LMS Arbitrary File Write (3.2.2)

WordPress Plugin Forms:3rd-Party Inject Results Cross-Site Scripting (0.2)

Severity

High

Classification

CVE-2024-31984 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities