CVE-2024-31982

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 2.4-milestone-1 through 4.10.20 XWiki Platform versions 15.5.4 and earlier XWiki Platform versions 15.10-rc-1 and earlier

Description The issue in XWiki Platform stems from a lack of input validation within the database search functionality. This allows a non-authenticated attacker to achieve remote code execution. The database search is accessible by default to all users, meaning any visitor to a public wiki or user of a closed wiki could potentially exploit this issue, impacting the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability allows execution of arbitrary code through the search text. The API endpoint involved is /xwiki/bin/get/Main/DatabaseSearch. The vulnerable parameter is text.

Recommendations XWiki Platform versions 2.4-milestone-1 through 4.10.20: Manually apply the patch to the Main.DatabaseSearch page, or delete the page if database search is not explicitly used by users. XWiki Platform versions 15.5.4 and earlier: Manually apply the patch to the Main.DatabaseSearch page, or delete the page if database search is not explicitly used by users. XWiki Platform versions 15.10-rc-1 and earlier: Manually apply the patch to the Main.DatabaseSearch page, or delete the page if database search is not explicitly used by users.