critical
9.1
CWE
95 352
EPSS
0.045%
Advisory Published
CVE Published
Updated

CVE-2024-31986: XWiki Platform CSRF remote code execution through scheduler job's document reference

First published: Wed Apr 10 2024(Updated: )

### Impact By creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. To reproduce on an XWiki installation, click on this link to create a new document : `<xwiki-host>/xwiki/bin/view/%22%3E%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%20context%3D%22request/parameters%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request/eval%29/`. Then, add to this document an object of type `XWiki.SchedulerJobClass`. Finally, as an admin, go to `<xwiki-host>/xwiki/bin/view/Scheduler/?eval=$services.logging.getLogger(%22attacker%22).error(%22Hello%20from%20URL%20Parameter!%20I%20got%20programming:%20$services.security.authorization.hasAccess(%27programming%27)%22)`. If the logs contain `ERROR attacker - Hello from URL Parameter! I got programming: true`, the installation is vulnerable. ### Patches The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9. ### Workarounds Modify the Scheduler.WebHome page following this [patch](https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c#diff-1e2995eacccbbbdcc4987ff64f46ac74837d166cf9e92920b4a4f8af0f10bd47). ### References - https://jira.xwiki.org/browse/XWIKI-21416 - https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
maven/org.xwiki.platform:xwiki-platform-scheduler-ui>=15.6-rc-1<15.9
15.9
maven/org.xwiki.platform:xwiki-platform-scheduler-ui>=15.0-rc-1<15.5.4
15.5.4
maven/org.xwiki.platform:xwiki-platform-scheduler-ui>=3.1<14.10.19
14.10.19
Xwiki>=3.1.1<14.10.19
Xwiki>=15.0<15.5.4
Xwiki>=15.6<15.9

Remedy

https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf

Remedy

https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87

Remedy

https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-31986?

    CVE-2024-31986 has been classified with a high severity rating due to the potential for arbitrary code execution.

  • How do I fix CVE-2024-31986?

    To fix CVE-2024-31986, update the xwiki-platform-scheduler-ui to version 15.9, 15.5.4, or 14.10.19 or later.

  • Which versions of XWiki are affected by CVE-2024-31986?

    CVE-2024-31986 affects XWiki versions between 3.1 and 15.5.4 and between 15.6 and 15.9.

  • What type of vulnerability is CVE-2024-31986?

    CVE-2024-31986 is a remote code execution vulnerability that can be exploited when an admin user accesses the scheduler page.

  • Who is impacted by CVE-2024-31986?

    Administrators who access the affected scheduler page in XWiki are primarily impacted by CVE-2024-31986.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203