CVE-2024-31984

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 7.2-rc-1 through 4.10.19 XWiki Platform versions 15.5.3 and earlier XWiki Platform versions prior to 15.10-rc-1

Description The issue is related to the execution of arbitrary code in the XWiki Platform due to improper handling of instructions in dynamically executed code. By creating a document with a specially crafted title, it is possible to trigger remote code execution in the Solr-based search in XWiki. This allows any user who can edit the title of a space to execute any Groovy code in the XWiki installation, compromising the confidentiality, integrity, and availability of the whole XWiki installation.

Recommendations For XWiki Platform versions 7.2-rc-1 through 4.10.19, update to version 4.10.20 or later. For XWiki Platform versions 15.5.3 and earlier, update to version 15.5.4 or later. For XWiki Platform versions prior to 15.10-rc-1, update to version 15.10-rc-1 or later. As a temporary workaround, manually apply the patch to the Main.SolrSpaceFacet page.