Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2024-31982
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-10 Apr, 2024 | 19:38
Updated At-25 Sep, 2025 | 16:39
Rejected At-
▼CVE Numbering Authority (CNA)
XWiki Platform: Remote code execution as guest via DatabaseSearch

XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.

Affected Products
Vendor
XWiki SASxwiki
Product
xwiki-platform
Versions
Affected
  • >= 2.4-milestone-1, < 14.10.20
  • >= 15.0-rc-1, < 15.5.4
  • >= 15.6-rc-1, < 15.10-rc-1
Problem Types
TypeCWE IDDescription
CWECWE-95CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Type: CWE
CWE ID: CWE-95
Description: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Metrics
VersionBase scoreBase severityVector
3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 10.0
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31
x_refsource_MISC
https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8
x_refsource_MISC
https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-21472
x_refsource_MISC
https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982
N/A
Hyperlink: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31
Resource:
x_refsource_MISC
Hyperlink: https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8
Resource:
x_refsource_MISC
Hyperlink: https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565
Resource:
x_refsource_MISC
Hyperlink: https://jira.xwiki.org/browse/XWIKI-21472
Resource:
x_refsource_MISC
Hyperlink: https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.vicarius.io/vsociety/posts/cve-2024-31982-detect-xwiki-vulnerability
N/A
https://www.vicarius.io/vsociety/posts/cve-2024-31982-xwiki-mitigation-vulnerability
N/A
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9
x_refsource_CONFIRM
x_transferred
https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31
x_refsource_MISC
x_transferred
https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8
x_refsource_MISC
x_transferred
https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565
x_refsource_MISC
x_transferred
https://jira.xwiki.org/browse/XWIKI-21472
x_refsource_MISC
x_transferred
https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982
x_transferred
Hyperlink: https://www.vicarius.io/vsociety/posts/cve-2024-31982-detect-xwiki-vulnerability
Resource: N/A
Hyperlink: https://www.vicarius.io/vsociety/posts/cve-2024-31982-xwiki-mitigation-vulnerability
Resource: N/A
Hyperlink: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://jira.xwiki.org/browse/XWIKI-21472
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
XWiki SASxwiki
Product
xwiki-platform
CPEs
  • cpe:2.3:a:xwiki:xwiki-platform:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 2.4-milestone-1 before 14.10.20 (custom)
  • From 15.0-rc-1 before 15.5.4 (custom)
  • From 15.6-rc-1 before 15.10-rc-1 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found