CVE-2024-31982
published 2024-04-10CVE-2024-31982: XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
34.52%
98.2th percentile
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 15.0 < 15.5.4 | 15.5.4 |
| xwiki | xwiki | >= 15.6 < 15.10 | 15.10 |
| xwiki | xwiki | >= 2.4 < 14.10.20 | 14.10.20 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=
commandasync async=false
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XWiki Groovy Script Command Injection Attempt (CVE-2024-31982)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text="; startswith; fast_pattern; content:"async async|3d|false"; within:80; content:"|7b 7b|groovy|7d 7d|"; within:36; reference:cve,2024-31982; reference:url,www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982; classtype:attempted-admin; sid:2061104; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state plaintext, created_at 2025_03_26, cve CVE_2024_31982, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|7b 7b|groovy|7d 7d|
- →Exploit requests use HTTP GET to /xwiki/bin/get/Main/DatabaseSearch with outputSyntax=plain and a Groovy template injection payload ({{groovy}}) in the text parameter.
- →The vulnerable page is Main.DatabaseSearch; deleting or patching this page mitigates the attack surface. Monitor for unexpected access or modification of this page. ↗
- ·The vulnerability is exploitable by unauthenticated visitors on public wikis and any authenticated user on closed wikis, since the DatabaseSearch page is accessible to all users by default. ↗
- ·The Snort/Suricata rule (sid:2061104) only covers plaintext HTTP traffic (tls_state: plaintext); HTTPS-wrapped exploitation will not be detected by this rule.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki Platform: Remote code execution as guest via DatabaseSearch
osv·2024-04-10
CVE-2024-31982 [CRITICAL] XWiki Platform: Remote code execution as guest via DatabaseSearch
XWiki Platform: Remote code execution as guest via DatabaseSearch
### Impact
XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, without being logged in, go to `/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If the title of the RSS channel contains `Hello from search text:42`, the
GHSA
XWiki Platform: Remote code execution as guest via DatabaseSearch
ghsa·2024-04-10
CVE-2024-31982 [CRITICAL] CWE-94 XWiki Platform: Remote code execution as guest via DatabaseSearch
XWiki Platform: Remote code execution as guest via DatabaseSearch
### Impact
XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, without being logged in, go to `/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If the title of the RSS channel contains `Hello from search text:42`, the
VulnCheck
xwiki xwiki Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
vulncheck·2024·CVSS 10.0
CVE-2024-31982 [CRITICAL] xwiki xwiki Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
xwiki xwiki Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page c
Suricata
ET WEB_SPECIFIC_APPS XWiki Groovy Script Command Injection Attempt (CVE-2024-31982)
suricata·2025-03-26·CVSS 10.0
CVE-2024-31982 [CRITICAL] ET WEB_SPECIFIC_APPS XWiki Groovy Script Command Injection Attempt (CVE-2024-31982)
ET WEB_SPECIFIC_APPS XWiki Groovy Script Command Injection Attempt (CVE-2024-31982)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XWiki Groovy Script Command Injection Attempt (CVE-2024-31982)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text="; startswith; fast_pattern; content:"async async|3d|false"; within:80; content:"|7b 7b|groovy|7d 7d|"; within:36; reference:cve,2024-31982; reference:url,www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982; classtype:attempted-admin; sid:2061104; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, tls_state plaintext, created_at 2025_03_26, cve CVE_2024_31982, deployment Perimeter, deployment Internal, perf
Nuclei
XWiki < 4.10.20 - Remote code execution
nuclei·CVSS 9.8
CVE-2024-31982 [CRITICAL] XWiki < 4.10.20 - Remote code execution
XWiki ", "RSS feed")'
- 'contains(header, "text/javascript")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502205021351f3cd226bbf5d7fa15274646bb2445526508cc0f58072647b9c5a9aaa8022100b449e4746a15c73e9f1c534e337943959483398bfe1f3d493c26f0b4c458dc3b:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9https://jira.xwiki.org/browse/XWIKI-21472https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9https://jira.xwiki.org/browse/XWIKI-21472https://www.vicarius.io/vsociety/posts/cve-2024-31982-detect-xwiki-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2024-31982-xwiki-mitigation-vulnerabilityhttps://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982
2024-04-10
Published
Exploited in the wild