CVE-2024-31465

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 5.0-rc-1 through 14.10.19 XWiki Platform versions 15.5.3 and earlier XWiki Platform versions prior to 15.9-rc-1

Description The issue allows any user with edit rights on any page to execute code on the server by adding an object of type XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity, and availability of the whole XWiki installation. To exploit this, an attacker can add an object of type XWiki.SearchSuggestSourceClass to their profile page, set properties like name, engine, service, query, limit, and icon to malicious code, and then access the page with a specific URL parameter ?sheet=XWiki.SearchSuggestSourceSheet.

Recommendations For XWiki Platform versions 5.0-rc-1 through 14.10.19, update to version 14.10.20 or later. For XWiki Platform versions 15.5.3 and earlier, update to version 15.5.4 or later. For XWiki Platform versions prior to 15.9-rc-1, update to version 15.9-rc-1 or later. As a temporary workaround, manually apply the patch to the document XWiki.SearchSuggestSourceSheet.