CVE-2024-31987
published 2024-04-10CVE-2024-31987: XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any…
PriorityP258high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.45%
70.0th percentile
XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. No known workarounds are available except for upgrading.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 15.0 < 15.5.4 | 15.5.4 |
| xwiki | xwiki | >= 15.6 < 15.10 | 15.10 |
| xwiki | xwiki | >= 6.4 < 14.10.19 | 14.10.19 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki Platform remote code execution from account via custom skins support
osv·2024-04-10
CVE-2024-31987 [CRITICAL] XWiki Platform remote code execution from account via custom skins support
XWiki Platform remote code execution from account via custom skins support
### Impact
Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution.
To reproduce, as a user without edit, script or admin right, add an object of class `XWiki.XWikiSkins` to your profile. Name it whatever you want and set the Base Skin to `flamingo`.
Add an object of class `XWikiSkinFileOverrideClass` and set the path to `macros.vm` and the content to:
```
#macro(mediumUserAvatar $username)
#resizedUserAvatar($username 50)
$services.logging.getLogger('Skin').error("I got programming: $services.security.authorization.hasAccess('programming')")
#end
```
Back to your profile, click `Test this skin`
GHSA
XWiki Platform remote code execution from account via custom skins support
ghsa·2024-04-10
CVE-2024-31987 [CRITICAL] CWE-862 XWiki Platform remote code execution from account via custom skins support
XWiki Platform remote code execution from account via custom skins support
### Impact
Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution.
To reproduce, as a user without edit, script or admin right, add an object of class `XWiki.XWikiSkins` to your profile. Name it whatever you want and set the Base Skin to `flamingo`.
Add an object of class `XWikiSkinFileOverrideClass` and set the path to `macros.vm` and the content to:
```
#macro(mediumUserAvatar $username)
#resizedUserAvatar($username 50)
$services.logging.getLogger('Skin').error("I got programming: $services.security.authorization.hasAccess('programming')")
#end
```
Back to your profile, click `Test this skin`
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39https://github.com/xwiki/xwiki-platform/commit/626d2a5dbf95b4e719ae13bf1a0a9c76e4edd5a2https://github.com/xwiki/xwiki-platform/commit/da177c3c972e797d92c1a31e278f946012c41b56https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cv55-v6rw-7r5vhttps://jira.xwiki.org/browse/XWIKI-21478https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39https://github.com/xwiki/xwiki-platform/commit/626d2a5dbf95b4e719ae13bf1a0a9c76e4edd5a2https://github.com/xwiki/xwiki-platform/commit/da177c3c972e797d92c1a31e278f946012c41b56https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cv55-v6rw-7r5vhttps://jira.xwiki.org/browse/XWIKI-21478
2024-04-10
Published