cbcvebase.
CVE-2024-31982
published 2024-04-10

CVE-2024-31982: XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
34.52%
98.2th percentile
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.

Affected

6 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 15.0 < 15.5.415.5.4
xwikixwiki>= 15.6 < 15.1015.10
xwikixwiki>= 2.4 < 14.10.2014.10.20
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

url/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=
commandasync async=false
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XWiki Groovy Script Command Injection Attempt (CVE-2024-31982)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text="; startswith; fast_pattern; content:"async async|3d|false"; within:80; content:"|7b 7b|groovy|7d 7d|"; within:36; reference:cve,2024-31982; reference:url,www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982; classtype:attempted-admin; sid:2061104; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state plaintext, created_at 2025_03_26, cve CVE_2024_31982, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|7b 7b|groovy|7d 7d|
  • Exploit requests use HTTP GET to /xwiki/bin/get/Main/DatabaseSearch with outputSyntax=plain and a Groovy template injection payload ({{groovy}}) in the text parameter.
  • The vulnerable page is Main.DatabaseSearch; deleting or patching this page mitigates the attack surface. Monitor for unexpected access or modification of this page.
  • ·The vulnerability is exploitable by unauthenticated visitors on public wikis and any authenticated user on closed wikis, since the DatabaseSearch page is accessible to all users by default.
  • ·The Snort/Suricata rule (sid:2061104) only covers plaintext HTTP traffic (tls_state: plaintext); HTTPS-wrapped exploitation will not be detected by this rule.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.