CVE-2024-31983

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 4.3-milestone-2 through 4.10.19 XWiki Platform versions prior to 15.5.4 XWiki Platform versions prior to 15.10-rc-1

Description In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations. This can be exploited for remote code execution if the translation value is not properly escaped where it is used. For example, editing a translation of AppWithinMinutes.Translations and adding {{async}}{{groovy}}println("Hello from Translation"){{/groovy}}{{/async}} at the end of the line platform.appwithinminutes.description= can demonstrate the vulnerability.

Recommendations For XWiki Platform versions 4.3-milestone-2 through 4.10.19, update to version 4.10.20 or later. For XWiki Platform versions prior to 15.5.4, update to version 15.5.4 or later. For XWiki Platform versions prior to 15.10-rc-1, update to version 15.10-rc-1 or later. As a temporary workaround, restrict edit rights on documents that contain translations.